[VIM] Dup: Gallery 1.2.5 (GALLERY_BASEDIR) Multiple RFI Vulnerabilities
security curmudgeon
jericho at attrition.org
Thu Apr 26 20:22:38 UTC 2007
: The issues covered by Milw0rm 3743 / Bugtraq 23502 are a subset of those
: posted back in 2002 by avart at gmx.de; eg,
:
: http://archives.neohapsis.com/archives/bugtraq/2002-07/0471.html
:
: and covered by CVE-2002-1412 / Bugtraq 5375. Or am I missing something?
back when most of us called it 'command execution' and hadn't started
commonly calling this RFI =)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-1412
Gallery photo album package before 1.3.1 allows local and possibly remote
attackers to execute arbitrary code via a modified GALLERY_BASEDIR
variable that points to a directory or URL that contains a Trojan horse
init.php script.
(the associated mail list post shows the RFI vuln in captionator.php and
references the vendor fix for errors/configmode.php, errors/needinit.php,
errors/reconfigure.php, errors/unconfigured.php.)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-2123
PHP remote file inclusion vulnerability in publish_xp_docs.php for Gallery
1.3.2 allows remote attackers to inject arbitrary PHP code by specifying a
URL to an init.php file in the GALLERY_BASEDIR parameter.
http://www.securityfocus.com/bid/23502/exploit
http://www.example.com/errors/needinit.php?GALLERY_BASEDIR=Shell
http://www.example.com/errors/reconfigure.php?GALLERY_BASEDIR=Shell
http://www.example.com/errors/unconfigured.php?GALLERY_BASEDIR=Shell
http://www.example.com/errors/configmode.php?GALLERY_BASEDIR=Shell
(the four vendor mentioned files)
http://milw0rm.com/exploits/3743
# Exploit:[Path]/errors/needinit.php?GALLERY_BASEDIR=Shell
# Exploit:[Path]/errors/reconfigure.php?GALLERY_BASEDIR=Shell
# Exploit:[Path]/errors/unconfigured.php?GALLERY_BASEDIR=Shell
# Exploit:[Path]/errors/configmode.php?GALLERY_BASEDIR=Shell
(the four vendor mentioned files)
--
So, the CVE above isn't necessarily a dupe as it doesn't mention the
vulnerable files. If the CVE is expanded/overhauled, i'd guess they will
change it to mention the four files as well as the example RFI vuln in the
original disclosure, but it seems they could just as easily add it to
2002-2123?
More information about the VIM
mailing list