Remote Privilege Escalation Exploit

solar-flare · 06-03-2006, 02:43 PM

FYI, milw0rm is reporting a Remote Privilege Escalation Exploit in PP <= 1.5

http://www.milw0rm.com/exploits/1868

GeoS · 06-03-2006, 03:36 PM

Thx for link.

For now without testing but seeing security whole fast fix looks like:
1) find:

PHP Code:


			
} // end imageprint



// fix a popuplink



$tpl = ereg_replace("<SITE_TITLE>",$pixelpost_site_title,$tpl);



if(isset($_GET['x']) &&$_GET['x'] == "browse")

{

    $thumb_output = "";

    $where = "";



    if($_GET['category'] != "")

2) replace it with:

PHP Code:


			
} // end imageprint



// fix a popuplink



$tpl = ereg_replace("<SITE_TITLE>",$pixelpost_site_title,$tpl);



if(isset($_GET['x']) &&$_GET['x'] == "browse")

{

    $thumb_output = "";

    $where = "";



    if(is_numeric($_GET['category']) && $_GET['category'] != "")

Now Im going out so rest must wait for a while.

sbzx · 06-03-2006, 08:41 PM

In fact, there seem to be three exploits there.

se.nsuo.us · 06-04-2006, 03:35 AM

Sigh! finally someone else got to it and published...

Fixes are easy - but it is Sunday morning here

As for Register Globals = On exploit anyone who runs a server with that setting is doomed anyways

GeoS · 06-04-2006, 09:13 AM

In case of register_globals = On all depends from variables_order which by default is secure:
variables_order = "EGPCS"

GeoS · 06-04-2006, 11:41 AM

Next fix for register globals.

Affected files:
/admin/categories.php
/admin/comments.php
/admin/images_edit.php
/admin/new_image.php
/admin/options.php
/admin/view_addons.php
/admin/view_info.php

Find at beginning of each:

PHP Code:


			
if(!isset($_SESSION["pixelpost_admin"]) || $cfgrow['password'] != $_SESSION["pixelpost_admin"]) {

    die ("Try another day!!");

}

and repleace with:

PHP Code:


			
if(!isset($_SESSION["pixelpost_admin"]) || $cfgrow['password'] != $_SESSION["pixelpost_admin"] || $_GET["_SESSION"]["pixelpost_admin"] == $_SESSION["pixelpost_admin"]) {

    die ("Try another day!!");

}

PS In a minute there will be CVS fix.

GeoS · 06-04-2006, 12:01 PM

Next fast fix for point 2. There will be probably better one in future.

Find in /index.php (line 681/712):

PHP Code:


			
ELSE IF ($_GET['archivedate'] != "")

and replace it with:

PHP Code:


			
ELSE IF ($_GET['archivedate'] != "" && strlen($_GET['archivedate']) < 20)

Joe[y] · 06-04-2006, 12:18 PM

is point 4 fixed on that? it scares me! but i don't fully understand how it works.

Connie · 06-04-2006, 03:36 PM

have a look at www.photografitti.de

I cannot log in anymore, my hoster says he did nothing..

something "wait for redirect..:"

is this caused by some of these exploits?

GeoS · 06-04-2006, 03:43 PM

I forgot about this one.

At beginning of /admin/index.php find:

PHP Code:


			
You should have received a copy of the GNU General Public License

along with this program; if not, write to the Free Software

Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.



*/

and replace with:

PHP Code:


			
You should have received a copy of the GNU General Public License

along with this program; if not, write to the Free Software

Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.



*/



// variable clean up

if(isset($_GET["loginmessage"]))    $loginmessage = "";

06-03-2006, 02:43 PM	#1
solar-flare forum loafer Join Date: May 2005 Location: Washington, DC Posts: 1	Remote Privilege Escalation Exploit FYI, milw0rm is reporting a Remote Privilege Escalation Exploit in PP <= 1.5 http://www.milw0rm.com/exploits/1868 __________________ www.solar-flare.us Hosted by Pseudo-Servers Hosting: www.pseudo-servers.com

06-03-2006, 03:36 PM	#2
GeoS Team Pixelpost Join Date: Apr 2005 Location: Warsaw, Poland Posts: 3,074	Thx for link. For now without testing but seeing security whole fast fix looks like: 1) find: PHP Code: `} // end imageprint // fix a popuplink $tpl = ereg_replace("<SITE_TITLE>",$pixelpost_site_title,$tpl); if(isset($_GET['x']) &&$_GET['x'] == "browse") { $thumb_output = ""; $where = ""; if($_GET['category'] != "")` 2) replace it with: PHP Code: `} // end imageprint // fix a popuplink $tpl = ereg_replace("<SITE_TITLE>",$pixelpost_site_title,$tpl); if(isset($_GET['x']) &&$_GET['x'] == "browse") { $thumb_output = ""; $where = ""; if(is_numeric($_GET['category']) && $_GET['category'] != "")` Now Im going out so rest must wait for a while. __________________ My photoblog powered by PixelPost 1.6 dev SVN with mod_rewrite feature and Related Pictures addon Show Category ADDON GeoS No SPAM Template woophy.com - votes are welcome coolphotoblogs.com - feel free to vote

06-03-2006, 08:41 PM	#3
sbzx pp veteran Join Date: Jun 2005 Location: Szentendre, Hungary Posts: 53	In fact, there seem to be three exploits there. __________________ :: sbzx usualsubjects.com

06-04-2006, 03:35 AM	#4
se.nsuo.us pixelpost guru Join Date: Dec 2005 Location: Somewhere in India Posts: 623	Sigh! finally someone else got to it and published... Fixes are easy - but it is Sunday morning here As for Register Globals = On exploit anyone who runs a server with that setting is doomed anyways __________________ http://se.nsuo.us - A photoblog of sensual, abstract nudes [may not be work safe for some] My Pixelpost Addons, Cheesecake-Photoblog Software

06-04-2006, 09:13 AM	#5
GeoS Team Pixelpost Join Date: Apr 2005 Location: Warsaw, Poland Posts: 3,074	In case of register_globals = On all depends from variables_order which by default is secure: variables_order = "EGPCS" __________________ My photoblog powered by PixelPost 1.6 dev SVN with mod_rewrite feature and Related Pictures addon Show Category ADDON GeoS No SPAM Template woophy.com - votes are welcome coolphotoblogs.com - feel free to vote

06-04-2006, 11:41 AM	#6
GeoS Team Pixelpost Join Date: Apr 2005 Location: Warsaw, Poland Posts: 3,074	Next fix for register globals. Affected files: /admin/categories.php /admin/comments.php /admin/images_edit.php /admin/new_image.php /admin/options.php /admin/view_addons.php /admin/view_info.php Find at beginning of each: PHP Code: `if(!isset($_SESSION["pixelpost_admin"]) \|\| $cfgrow['password'] != $_SESSION["pixelpost_admin"]) { die ("Try another day!!"); }` and repleace with: PHP Code: `if(!isset($_SESSION["pixelpost_admin"]) \|\| $cfgrow['password'] != $_SESSION["pixelpost_admin"] \|\| $_GET["_SESSION"]["pixelpost_admin"] == $_SESSION["pixelpost_admin"]) { die ("Try another day!!"); }` PS In a minute there will be CVS fix. __________________ My photoblog powered by PixelPost 1.6 dev SVN with mod_rewrite feature and Related Pictures addon Show Category ADDON GeoS No SPAM Template woophy.com - votes are welcome coolphotoblogs.com - feel free to vote

06-04-2006, 12:01 PM	#7
GeoS Team Pixelpost Join Date: Apr 2005 Location: Warsaw, Poland Posts: 3,074	Next fast fix for point 2. There will be probably better one in future. Find in /index.php (line 681/712): PHP Code: `ELSE IF ($_GET['archivedate'] != "")` and replace it with: PHP Code: `ELSE IF ($_GET['archivedate'] != "" && strlen($_GET['archivedate']) < 20)` __________________ My photoblog powered by PixelPost 1.6 dev SVN with mod_rewrite feature and Related Pictures addon Show Category ADDON GeoS No SPAM Template woophy.com - votes are welcome coolphotoblogs.com - feel free to vote

06-04-2006, 12:18 PM	#8
Joe[y] Team Pixelpost Join Date: Mar 2005 Location: UK Posts: 3,088	is point 4 fixed on that? it scares me! but i don't fully understand how it works. __________________ ZOMBIE GOAT PORN

06-04-2006, 03:36 PM	#9
Connie Team Pixelpost Join Date: Oct 2004 Location: Hamburg, Germany Posts: 4,630	have a look at www.photografitti.de I cannot log in anymore, my hoster says he did nothing.. something "wait for redirect..:" is this caused by some of these exploits? __________________ Connie -------\| one of the Pixelpost-Veterans www.photografitti.de my Photoprojects: www.zweiterblick.de

06-04-2006, 03:43 PM	#10
GeoS Team Pixelpost Join Date: Apr 2005 Location: Warsaw, Poland Posts: 3,074	I forgot about this one. At beginning of /admin/index.php find: PHP Code: `You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. /` and replace with: PHP Code: `You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. / // variable clean up if(isset($_GET["loginmessage"])) $loginmessage = "";` __________________ My photoblog powered by PixelPost 1.6 dev SVN with mod_rewrite feature and Related Pictures addon Show Category ADDON GeoS No SPAM Template woophy.com - votes are welcome coolphotoblogs.com - feel free to vote

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode