I've shown my friend and others what's wrong with this library and now I will show it to you. Hopefully Google will pick this thread up so that nobody will use this crappy library in the future and if not: you will have your first basic hacking skillllzzzz after reading this article.
So, what's phpAutoGallery?
phpAutoGallery is a piece of software that automatically generates thumbnails and will make your image-directories browsable without having the need of any database. In principal, this could be a nice feature; too bad they didn't worry about security..
What's wrong with it?
The library has a minimal admin-panel which needs a username and password. Because phpAutoGallery only uses php (with no further database back-end) this login information is saved in a config file. That's not all that bad...unless you can read it; guess what...you can!How to 'steal' the password
I will use the phpAutoGallery demo on SourceForce to demonstrate this exploit.Have a look at it here: http://phpautogallery.sourceforge.net/demo/
XSS Exploit
The first thing I noticed when I played around a bit with this library was a XSS exploit. This is quite easy to show you, just click here to show your cookie.This might be exploited when there is use of cookies on the website (which could store login or session information). Google XSS to read more about it, because at the moment...we're trying to steal a password.
Finding clues in the source
When I found this XSS bug which could be easily repaired, I though to myself: more vulnerabilities might be found. I downloaded the source and found some 'special directories'. Take a look at this:demo/__phpAutoGallery/
demo/__phpAutoGallery__phpLoader/
demo/__phpAutoGallery__picLoader/
The latest link (when running on a server that surpresses PHP error messages) will show you the directory listing. Now we are able to navigate the files, check for instance the sometimes valuable .htaccess file.
Getting the passwords
Now that we can browse files, we could try to obtain the config file which holds the administrator's username and password.Luckily, this can be done. Show the config file here and search for 'username' and 'password'...Now you will be able to log in to the administrator's panel.
And now what?
This might not be too interesting though, because the admin-panel doesn't allow you to do much, but at least you've got a username and password which you can try on a CMS, database, etc..In my friend's case I could access his CMS with administrator rights allowing me to change anything (I didn't though :P).This library is currently running at thousands of sites (have a look at Google), trying some of those sites will probably get you access a couple of times...but that's not really the sport, is it? I suggest you e-mail any vulnerable webmaster and show him this article ;)
I have left a message at the phpAutoGallery SourceForge page and also found out that the bug was known to a couple of people. There just haven't been a proper update since 2003.
No Comments
Be the first to leave a comment for this article ;)