[VIM] Free PHP photo gallery script Vulnerabilities

George A. Theall theall at tenable.com
Fri Aug 6 13:01:57 CDT 2010 

Exploit DB 14437 and 14438 / Bugtraq 41889, which cover  
vulnerabilities in PHP Photo Gallery, look bogus to me.

ViRuS Qalaa doesn't mention which version of the application is  
affected, and for some reason the download associated with those  
always gives me a zero-byte length file. Still, I grabbed a copy from http://phpweby.com/downloads/gallery 
. According to 'install.txt', that's version 1.1. It doesn't have the  
'jadro/libs/adodb/adodb-perf.inc.php' file that reportedly suffers  
from a command execution vulnerability, but some digging around turned  
up an older instance, also version 1.1, from http://173.45.233.177/phpwebygallery.zip 
, which does have that file.

Exploit 14437 points to a call to 'exec()' at line #39 in 'jadro/libs/ 
adodb/adodb-perf.inc.php' and suggests the second argument is used to  
inject arbitrary code. Here's a larger snippet from that file,  
starting at line 29:

   function adodb_getmem()
   {
   	if (function_exists('memory_get_usage'))
   		return (integer) ((memory_get_usage()+512)/1024);
   	
   	$pid = getmypid();
   	
   	if ( strncmp(strtoupper(PHP_OS),'WIN',3)==0) {
   		$output = array();
   	
   		exec('tasklist /FI "PID eq ' . $pid. '" /FO LIST', $output);
   		return substr($output[5], strpos($output[5], ':') + 1);
   	}

The call to 'exec()' in this file indeed occurs at line 39 and matches  
what ViRuS Qalaa reports in the advisory. Unfortunately, though, the  
"vulnerable" code is located in a function call, and there's no way to  
call that function that I can see by simply calling the script. Even  
if there were, though, the second argument to a PHP 'exec()' call is  
not passed to a shell but rather used to collect output from the  
command specified in the first argument.

Exploit 14438 points to a call to 'include_once()' at line 4227 in  
'jadro/libs/adodb/adodb.inc.php' and suggests an attacker can reach  
that via the 'path' parameter. Here's a larger snippet from that file,  
starting at line 4214:

   	function &NewDataDictionary(&$conn,$drivername=false)
   	{
   		$false = false;
   		if (!$drivername) $drivername = _adodb_getdriver($conn- 
 >dataProvider,$conn->databaseType);

   		include_once(ADODB_DIR.'/adodb-lib.inc.php');
   		include_once(ADODB_DIR.'/adodb-datadict.inc.php');
   		$path = ADODB_DIR."/datadict/datadict-$drivername.inc.php";

   		if (!file_exists($path)) {
   			ADOConnection::outp("Dictionary driver '$path' not available");
   			return $false;
   		}
   		include_once($path);

While there is a call to that function involving '$path', it's not  
only in a function definition, but the value of '$path' is hardcoded.


George
-- 
theall at tenablesecurity.com

More information about the VIM mailing list