SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   TrueGalerie Vendors:   Truelogik
TrueGalerie Authentication Flaw Lets Remote Users Gain Administrator Access to the Application
SecurityTracker Alert ID:  1006647
SecurityTracker URL:  http://securitytracker.com/id/1006647
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 25 2003
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, User access via network
Exploit Included:  Yes  
Version(s): 1.0
Description:   Two vulnerabilities were reported in TrueGalerie. A remote user can gain administrative access on the application. A remote user can also read certain files on the system.

It is reported that there is an authentication flaw in the verif_admin.php and check_admin.php scripts. A remote user can reportedly bypass the authentication checks performed by these scripts by setting the $loggedin variable to '1'. A demonstration exploit URL is provided:

http://[target]/admin.php?loggedin=1

It is also reported that a remote user can exploit the file upload function to read certain files on the system with the privileges of the web server. A remote user can set a cookie named 'file' with the value containing the desired file to be viewed and then submit the upload form. The specified file on the target system will reportedly be loaded to the gallery (as if it was an image). A remote user can, for example, view the 'config.php' file, which contains passwords.

A remote user can also bypass file size upload limits by specifying the maximum file size via a POST variable (MAX_FILE_SIZE).

Impact:   A remote user can gain administrative access on the application.

A remote user can read certain files on the system with the privileges of the web server. For example, the 'config.php' file, which contains the administrative password and underlying database password, can be viewed.

Solution:   No vendor solution was available at the time of this entry. An unofficial patch is available at:

http://www.phpsecure.info/

Vendor URL:  www.truelogik.net/downloads.php (Links to External Site)
Cause:   Authentication error, Input validation error, State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [VulnWatch] True Galerie 1.0 : Admin Access & File Copy



Informations :
Language : PHP
Website : http://www.truelogik.net
Version : 1.0
Problems :
- Admin Access
- File Copy


PHP Code/Location :
verif_admin.php, check_admin.php :

------------------------------------------------------------------------

<?
if(isset($connect)) {
	if($connect=="$passadmin") setcookie("loggedin","ok");
	if($connect=="no") setcookie("loggedin");
	Header("Location: ".$PHP_SELF);
}

$ok = ($loggedin!="");

if($ok) {
	echo "<center>";
	echo "<table>";
	echo "<tr><td align='center'><a 
href='?connect=no'>DECONNEXION</a></td></tr>";
	echo "</table>";
	echo "</center>";
}
else {
	echo "<center><form method='post'>";
	echo "<table>";
	echo "<tr><td align='center'>CONNEXION</td></tr>";
	echo "<tr><td align='center'>Password : admin</td></tr>";
	echo "<tr><td><input type='password' name='connect'></td></tr>";
	echo "<tr><td><input type='submit' value='Login'></td></tr>";
	echo "</table>";
	echo "</form></center>";
}
?>

------------------------------------------------------------------------




upload.php :

----------------------------------------------------------------------
[...]
$userip = $REMOTE_ADDR;
$pseudo = $_POST['pseudo'];
$message = $_POST['message'];
$email = $_POST['email'];
[...]
if((!$pseudo) || (!$message) || (!$file)) {
	[...]
	exit;
}

if(!ereg('^[-!#$%&\'*+\\./0-9=?A-Z^_`a-z{|}~]+'.
        '@'.
        '[-!#$%&\'*+\\/0-9=?A-Z^_`a-z{|}~]+\.'.
        '[-!#$%&\'*+\\./0-9=?A-Z^_`a-z{|}~]+$',
        $email))
	{
	[...]
	exit();
}

[...]

if ($file_size >= $MAX_FILE_SIZE)
	{
	[...]
	exit();
}

if($HTTP_POST_FILES['file']['type']=="image/pjpeg") {
	$ext="jpg";
}
elseif($HTTP_POST_FILES['file']['type']=="image/gif") {
	$ext="gif";
}
if($HTTP_POST_FILES['file']['type']=="image/pjpeg"|$HTTP_POST_FILES['file']['type']=="image/gif") 
{

$date = time();

$query = "INSERT INTO $tablegalerie 
(cat_id,pseudo,email,url,message,date,clicks,img,userip) 
VALUES('$cat_id','$pseudo','$email','$url','$message','$date','','','$userip')";

mysql_query($query);

$id=mysql_insert_id();
$random_name = makeRandomName();

$dest_file="./$folder/$random_name.$ext";

$query = "UPDATE $tablegalerie SET img='$dest_file' WHERE id='$id'";
mysql_query($query);

$res_copy=@copy($file,$dest_file);
@move_uploaded_file($file,$dest_file);
----------------------------------------------------------------------



Exploits :
- To be admin :
http://[target]/admin.php?loggedin=1


- To read config.php (with admin password, DB password,...) :
1) Set a cookie named "file" and with the value "config.php" on 
http://[target]/form.php
2) Fill the form on this form.php page (the image have to be a real image, 
.gif or .jpg !)
3) Submit the form
4) Go on the index, look at your file (the last registered image)
5) Read it : it's config.php.


Patch :
A patch can be found on http://www.phpsecure.info .


More Details In French :
http://www.frog-man.org/tutos/TrueGalerie.txt




frog-m@n







_________________________________________________________________
Utilisez votre MSN Messenger via votre GSM ! 
http://www.fr.msn.be/gsm/servicesms/messengerparsms



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC