 |
|
 |
|
- Readme First! -
Read and follow the rules, otherwise your posts will be closed |
|
|
|
|
|
There are currently, 302 guest(s) and 0 member(s) that are online.
You are Anonymous user. You can register for free by clicking here |
|
|
|
|
|
Security Bug in My_eGallery 2.7.9 FIXED!!! READ!!! |
|
 Laffer writes "I found out how to fix quickly the Security Exploit.
Open the File displayCategory.php in /modules/My_eGallery/public
after the first line starting
insert:
$bug = strpos($basepath,"http");
if ($bug === false) {
and before the last line starting with ?>
insert:
}
else {
echo "You are trying to hack our site! GO AWAY BASTARD!";
}
How does this work? The exploit is STUPID! $basepath contains the basepath of the My_eGallery Modules. In the first lines displayCategory.php some files must be included. Now if the attacker give $basepath via the URL a new content in the exploits case the http://www.bywordonline.com/sc/app.txt value, then the module includes this Code from outside into the program. The app.txt runs then system calls with the rights of the webserver.
My fix will test if basepath contains a link to outside url instead of a local path (looking for http), if this is found, Code execution is suspended. Maybe not the best fix, but a quick fix. There is still a hole, but now the attacker must first upload a bad file to execute it. I will work further on this issue to fix it completely. Help from the Nukecops would be great!!!
See ya
"
|
|
Posted on Friday, November 28 @ 16:20:30 CET by Zhen-Xjell |
|
|
|
|
| |
|
Average Score: 5
Votes: 3
|
|
|
|
|
|
|
| | The comments are owned by the poster. We aren't responsible for their content. |
| | | | |
| No Comments Allowed for Anonymous, please register | | | | |
Re: Security Bug in My_eGallery 2.7.9 FIXED!!! READ!!! (Score: 1)
by Johan1982 on Friday, November 28 @ 18:40:47 CET
(User Info | Send a Message) | | Still is not known a permanent solution? Hopefully that the staff of Nukecops contributes to do fix permanent |
Re: Security Bug in My_eGallery 2.7.9 FIXED!!! READ!!! (Score: 1)
by Laffer on Saturday, November 29 @ 03:54:41 CET
(User Info | Send a Message) http://www.comicfan.de | Permanent solution is to replace $basepath in all
include ("$basepath
lines with the realpath! Then the exploit is 100% fixed. I am working on this! |
]
| | | | |
Re: Security Bug in My_eGallery 2.7.9 FIXED!!! READ!!! (Score: 1)
by Jeruvy on Friday, November 28 @ 18:58:41 CET
(User Info | Send a Message) | | Here is the actual exploit. For some reason ZjenXjell doesn't want to post my news on this so I'm including it here. Perhaps you can gather a solution to this:
Product: My_eGallery
Versions affected: all /tmp/cmdtemp 2>&1; cat /tmp/cmdtemp; rm /tmp/cmdtemp");
$output = ob_get_contents();
ob_end_clean();
print_output();
?>
This allows execution of any command on the server with My_eGallery, under
the privileges of the Web server (usually apache or httpd).
3. Solution
-----------
Vendor was contacted and promptly replied. Fix is available at the vendor's
site:
http://lottasophie.sourceforge.net/modules.php?op=modload&name=Downloads&fil
e=index&req=viewdownload&cid=5
As this was seen being exploited in the wild, users are urged to upgrade to
the latest version as soon as possible.
Regards,
Bojan Zdrnja
CISSP
|
Re: Security Bug in My_eGallery 2.7.9 FIXED!!! READ!!! (Score: 1)
by Laffer on Saturday, November 29 @ 03:53:33 CET
(User Info | Send a Message) http://www.comicfan.de | The bug is easy: The first line of the Module contain
include ("$basepath/somemodule.php");
since basepath will link to the http://someurl/textfile.txt the textfile.txt from another location will be included and therefore executed through the webserver. This textfile.txt contains as you mentioned malicious code, calling the SYSTEM function to execute in /tmp directory of the webserver (and afterwards deleted). But in the / or /tmp you often find some reliquients of other modules, like in my case, a kernel exploit which was uploaded and started this way... |
]
Re: Security Bug in My_eGallery 2.7.9 FIXED!!! READ!!! (Score: 1)
by johnnycard on Saturday, November 29 @ 08:37:06 CET
(User Info | Send a Message) | | Jeruvys link points for an upgrade for Post Nuke by the looks of it. Is there anyone who could port this fix for PHP Nuke? |
]
Re: Security Bug in My_eGallery 2.7.9 FIXED!!! READ!!! (Score: 1)
by Jeruvy on Saturday, November 29 @ 10:54:32 CET
(User Info | Send a Message) | | Yes, the vulnerability discussed post-nuke, but the code is very similar. I'm sorry it pasted terribly. I noticed www.net-security.org has reposted the original disclosure so perhaps you may find more help there. I'm curious the author hasn't come forth. Is this module still supported? |
]
| | | | | |
|
