From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 17 Jan 2005 14:08:57 +0200
Subject: [UNIX] SGallery Multiple Vulnerabilities (SQL Injection, Path Disclosure, File Inclusion)
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20050117124847.B8FA357BA@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
SGallery Multiple Vulnerabilities (SQL Injection, Path Disclosure, File
Inclusion)
------------------------------------------------------------------------
SUMMARY
<http://www.ser.acmetelecom.ru/>; SGallery is "a image gallery generating
module for PHP-Nuke". Multiple vulnerabilities have been discovered in the
product allowing a remote attacker to: inject arbitrary SQL statements,
disclose the path under which the product has been installed and include
and execute external files.
DETAILS
Vulnerable Systems:
* SGallery version 1.01 and prior
Vulnerable code:
Let's look at source code from imageview.php:
require_once("$DOCUMENT_ROOT/config.php");
require_once("$DOCUMENT_ROOT/includes/sql_layer.php");
$dbi = sql_connect ($dbhost,$dbuname,$dbpass,$dbname);
if ($idalbum) {
$result = sql_query("select picture from ".$prefix."_SGalbums where
idalbum=".$idalbum,$dbi);
} elseif ($idimage) {
$result = sql_query("select picture from ".$prefix."_SGimages where
idimage=".$idimage,$dbi);
}
list($echo) = sql_fetch_row($result, $dbi);
sql_free_result($result);
sql_logout ($dbi);
header ("Content-Type: image/jpeg");
echo $echo;
Now let's analyze the weak points.
Full Path Disclosure:
If "$idalbum" and "$idimage" are both unset, then because of the open
"if/elseif" construction there variable "$result" will be unset or can be
poisoned through GET/POST/COOKIE. And next call of the "sql_fetch_row()"
will trigger generic php error messages, leading to full path disclosure.
Path disclosure is considered as low level security threat, but anyway
it's useful for further malicious actions.
Arbitrary File Inclusion:
This kind of code construction as
require_once("$DOCUMENT_ROOT/config.php");
require_once("$DOCUMENT_ROOT/includes/sql_layer.php");
is not very secure. Depending of the web server software vendor,version
number and configuration settings it can lead to arbitrary file inclusion
and possible remote file inclusion.
SQL Injection bug in "imageview.php":
Looking at source code, presented above, we can see insecure SQL queries
directed to the database. To be excact, user submitted variables
"$idalbum" and/or "$idimage" are used in SQL "SELECT" clause without
escaping with single quotes. This is clearly sql injection bug. Further
exploitation will depend on database software and version. In case of the
MySQL version 4.x with UNION functionality enabled, arbitrary data can be
retrieved from database, including admin(s) authentication credentials.
Traditionally, there is the proof of concept:
Exploit:
http://localhost/nuke75/modules/Sgallery/imageview.php?idimage=-99/**/UNION/
**/SELECT/**/pwd/**/FROM/**/nuke_authors/**/WHERE/**/radminsuper=1
Best browser to test this proof of concept is Microsoft Internet Explorer
- it will show plaintext admin password's md5 hash as needed. Firefox and
other browsers will mostly rendering out "broken picture" because of the
"Content-Type: image/jpeg" header. But anyway, SQL injection exists, can
be exploited and must be fixed by vendor as soon as possible.
ADDITIONAL INFORMATION
The information has been provided by <mailto:come2waraxe@yahoo.com.> Janek
Vind.
The original article can be found at:
<http://www.waraxe.us/advisory-39.html>;
http://www.waraxe.us/advisory-39.html
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
