[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-users] Php Gallery root exploit
- Subject: RE: [cobalt-users] Php Gallery root exploit
- From: "Bob Noordam" <mac@xxxxxxxx>
- Date: Tue Jan 27 10:47:01 2004
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
> -----Oorspronkelijk bericht-----
> Van: cobalt-users-admin@xxxxxxxxxxxxxxx
> [mailto:cobalt-users-admin@xxxxxxxxxxxxxxx] Namens Ryan Verner
> Verzonden: dinsdag 27 januari 2004 0:54
> Aan: cobalt-users@xxxxxxxxxxxxxxx
> Onderwerp: Re: [cobalt-users] Php Gallery root exploit
>
> On 27/01/2004, at 5:40 AM, Bob Noordam wrote:
>
> > Altough not strictly cobalt-only related, and certanly not a SUN
> > issue, i know this may hit multiple users around here, so i
> took the
> > liberty of posting
>
> <snip>
>
> > Below is the fix for users of version 1.3x. Modify the
> INIT.PHP file,
> > and add the lines as indicated. If you do not fix this, full access
> > may be gained to your machine.
>
> Good advice, and thanks for posting, but how is this a root
> exploit, when the script (hopefully) doesn't even run as root? :-)
>
> R
>
Excelent question. I do not know the finesses of the internals of php. It
seems to be a cross site scripting issue enabling you to overwrite files on
the webserver from the base url, by including files from your own server. A
howto for that was not given :)
Below is the original advisory issued by secunia; perhaps someone more
knowledgable about php can figure out the exact "hack" described.
Bob.
TITLE:
Gallery Arbitrary File Inclusion Vulnerability
SECUNIA ADVISORY ID:
SA10712
VERIFY ADVISORY:
http://www.secunia.com/advisories/10712/
CRITICAL:
Highly critical
IMPACT:
System access
WHERE: