TFT-Gallery‘index.php’无限制文件上载漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1192640 漏洞类型 未知
发布时间 2006-12-06 更新时间 2006-12-06
CVE编号 CVE-2006-6347 CNNVD-ID CNNVD-200612-092
漏洞平台 N/A CVSS评分 6.5
|漏洞来源
https://www.securityfocus.com/bid/87301
https://cxsecurity.com/issue/WLB-2006120054
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200612-092
|漏洞详情
TFT-Gallery存在无限制文件上载漏洞,远程认证管理员可上载任意.php文件,大概是使用admin/index.php。
|漏洞EXP
Script Name: TFT-Gallery
Authors: Mike Scalora, Eric Thelin, Sascha Lorenz & Jan Berndt
Website: http://tftgallery.sourceforge.net
Bug Report: NetJackal (nj[AT]hackerz[DOT]ir & nima_501[AT]yahoo[DOT]com)
Status: Patch not released

First i should apologize for my bad english.

Intro:
	TFT-Gallery is a PHP-based Web image gallery & does n't require databse.
	
Bugs Description:
First bug)
	Look at admin`s index page(/admin/index.php)

if(file_exists("passwd")) {
			$fd = fopen("passwd", "r");
			$givenpw = fgets($fd,15);
			fclose($fd);
			if(isset($_REQUEST['password']) and
				isset($_REQUEST['username']) and
					$_REQUEST['username']=='admin' and
						crypt($_REQUEST['password'], "tftgallery") == $givenpw) {
				$_SESSION['admin']=true;
			} else {
				include_once "login_form.inc";
				exit;
			}
		}

TFT-Gallery stores admin's password in "passwd" file at admin folder, so everyone has access
to it by going to:
											http://victim/admin/passwd
TIP: Password hashed by DES algorithm.
TIP: Username is "admin".
Second Bug)
	TFT-Gallery doesn't check file extension so if somebody who has gain access by First bug can 
upload any file extension (ex. evil.php).

Solution:
	Edit code and store passwd some where else (out of wwwroot).
|受影响的产品
TFT Gallery TFT Gallery 0.10
|参考资料

来源:BUGTRAQ
名称:20061204MultiplebugsinTFT-Gallery
链接:http://www.securityfocus.com/archive/1/archive/1/453471/100/0/threaded
来源:XF
名称:tftgallery-extension-file-upload(30731)
链接:http://xforce.iss.net/xforce/xfdb/30731
来源:SREASON
名称:1983
链接:http://securityreason.com/securityalert/1983