Back to list
[MajorSecurity #18] Ralf Image Gallery <=0.7.4 - Multiple XSS, Remote File Include and directory traversal vulnerabilities
Jun 20 2006 02:32PM
admin majorsecurity de
Re: [MajorSecurity #18] Ralf Image Gallery <=0.7.4 - Multiple XSS, Remote File Include and directory traversal vulnerabilities
Jun 27 2006 03:34PM
Marc MERLIN (marc_news merlins org)
On Tue, Jun 20, 2006 at 02:32:16PM -0000, admin (at) majorsecurity (dot) de [email concealed] wrote:
> Discovered by: David "Aesthetico" Vieira-Kurz
> Original Advisory:
> Affected Products:
> RIG 0.7.4(unstable) and prior
> RIG 0.6.45 and 0.7(stable) and prior
> Contacted Vendor:
> I have contacted Le R'alf on June, 12th 2006 at 2:37 PM via e-mail, but until today I got no response
> and the bug was still not fixed!!!
So, for the record, R'alf never received the mail, never had a trace of it
reaching its smtp server in his logs, and neither him or I heard back from
Mr Vieira-Kurz when asking for information about that original mail like the
destination or Message-Id.
In other words, instead of giving the author a chance to fix the software,
get/give peer review on the fix, and a chance to the users to upgrade
their servers, his work helped create more nodes in botnets that tried/are
now trying to attack your machines, and send you spam.
Full disclosure is good, but a minimum of effort trying to prevent the
negative and unnecessary effects of it would go a long way to make this
internet a better place.
That said, R'alf fixed the software soon after being really notified (i.e.
his machine being attacked after the info posted here), and the fix can be
The delay in this Email here was to give a chance to Mr Vieira-Kurz to reply
before posting here, but he never did. Whether he never sent the
notification, sent it to the wrong address, or sent it to the right one, but
the internet ate it, we can't say without his cooperation.
(not the author of RIG, just posting the link here for those who might not
be on the user list, and didn't get the fix and the original upgrade
announcement attached in this mail)
"A mouse is a device used to point at the xterm you want to type in" - A.S.R.
Microsoft is to operating systems & security ....
.... what McDonalds is to gourmet cooking
Home page: http://marc.merlins.org/
Date: Fri, 23 Jun 2006 14:55:00 -0700
From: Ralf <ralfoide (at) gmail (dot) com [email concealed]>
Subject: IMPORTANT: Security Vulnerability in RIG
IMPORTANT: Vulnerability found in RIG. Please read!!
A vulnerability has been found in RIG that affects all version:
Unfortunately the person who advertised the vulnerability did not
contact me prior doing so. My server was actually compromised as well
as one from my friends.
I consequently URGE you to do the following:
1- Stop your apache web server and look for intrusions. See below.
2- Fix RIG as described below or switch to another web-based album
such as Gallery.
1- STOP APACHE AND LOOK AT YOUR SYSTEM
This applies to a Debian distro. Things may be different on another distro.
# apachectl stop
# /etc/init.d/apache stop
Look at your apache logs. Typically you'd have been infected started June 21st.
Look for any url containing "check_entry.php" in your apache log files:
# grep check_entry /var/log/apache/*.log
Under debian, apache runs as "www-data" so you want to look at the
activity done by this user (running processes and files created)
If you have full control of the machine and can connect locally,
switch to single-user mode by using "telinit 1" as root. If not,
please stop as many services as you can while you scan your system.
Look in /tmp for anything owned by www-data and delete it.
Look in all your album directories. For example in the directory
pointed to by "dir_abs_src" for me, there was a .tgz file and an
unpacked version of it.
Using "ps wfaux" look for processes still running as www-data.
Typically you may find an "httpd" still running. Try killing it.
Make sure there is no crontab for the www-data user.
Using "locate name" or "find / -name "..." -print", look for these names:
cupu y2kupdate fblast dbspy psybnc eggdrop onebounce
If you find such files, remove them.
Only continue when you think your system is clean. You don't want to
run a compromised host on the internet, it would be used to generate
DOS attacks and send spam and you may be legally demeed responsible.
2- FIXING RIG
A- Locate any instance of check_entry.php on your disk (generally
installed where index.php is). Edit the function rig_check_src_file()
as following (added lines have a + at the beginning):
// enabling track_errors is a big help
+ // disable auto-globals from CGI params
+ ini_set("register_globals", "0");
+ if (ini_get("register_globals") == 1)
+ echo "<h1>RIG Configuration Error</h1>";
+ echo "<h2>Important!</h2>You MUST disable
<em>register_globals</em> in your PHP.INI file!";
// check it worked
$track_errors = (ini_get("track_errors") == 1);
$result = @file_exists($name);
$result = file_exists($name);
+ // Uncomment the following line for debugging new installations
echo "<h1>RIG Configuration Error</h1>";
echo "<h2>Error</h2>A source file could not be located! Please
check <em>location.php</em> file!";
echo "<h2>Important!</h2>Please consider enabling
<em>track_errors</em> in your PHP.INI file!";
echo "<b>file path</b> = '$name'<br>";
echo "<b>dir_instal</b> = '$dir_abs_install'<br>";
echo "<b>dir_abs_src</b> = '$dir_abs_src'<br>";
echo "<b>dir_abs_admin_src</b> = '$dir_abs_admin_src'<br>";
echo "<b>dir_abs_globset</b> = '$dir_abs_globset'<br>";
echo "<b>dir_abs_locset</b> = '$dir_abs_locset'<br>";
B- Now locate php.ini, generally in /etc/php4/apache/php.ini on your system.
Edit the file and locate the line "register_globals". Change the
setting from On to Off.
Re-enabled your web server or restart it.
# apachectl restart
To make sure the fix worked:
- create a file foo.php in your public_html with the following content:
<?php echo 123 ?>
then try to compromise your own site as an attacker would do:
(note the extra ? at the end)
Feel feel free to contact me if you need help performing this.
Easiest way to contact me is with ralfoide (at) gmail (dot) com [email concealed]
or on Google Talk (http://talk.google.com) I have id "ralfoide"
or on Skype id "ralfoide".
[ reply ]
Copyright 2010, SecurityFocus