PDA

View Full Version : PhotoPost vBGallery Important Security Bulletin


ScottW
January 9th, 2008, 12:06 AM
This bulletin affects all versions of PhotoPost vBGallery released to date.

We recently became aware of a new exploit that hackers have created in order to upload and attempt to execute php scripts on a webserver using vBGallery. The exact details of the exploit were emailed to PhotoPost customers and are available to valid license holders upon request.

Ultimately, this is a security flaw in the Apache webserver and has the potential to affect any software that handles user file uploads, not just vBGallery, but you should know that PhotoPost Pro is not affected by this particular issue.

We now have modified vBGallery in an effort to help you minimize the ability of hackers to upload these scripts. You can download (https://www.photopost.com/members/members.pl) this latest version of vBGallery 2.4.2 (for vBulletin versions 3.6.8 and 3.7.0 beta 3) and update your site accordingly. Update instructions can be found in our 2.4.2 announcement (http://www.photopost.com/forum/showthread.php?t=134909).

If you're running an older version of vBGallery (http://www.photopost.com/forum/showpost.php?p=1214127&postcount=15), we also have instructions on how to manually patch the necessary files. Note that these manual instructions apply to vBGallery versions running with vBulletin 3.5.x, 3.6.x, and 3.7 only.

We are also providing a script called clean.php, attached to this post as clean.zip, that scans your vBGallery upload directories and helps remove any malicious files pertaining to this particular exploit that any would-be hacker may have uploaded. Instructions for using clean.php can be found in the included readme.txt file. You can upload the scanner script to your server and run it one time to remove any such files from your upload directories.

As an added security measure, you also can configure your Apache webserver to disallow the execution of any scripts (PHP, Perl, or otherwise) from your vBGallery upload directories if you have the expertise to do so. This is an added security measure that security conscious sites can take regardless of this new exploit, since it gives you additional protection to address potential as-yet-unknown exploits involving file uploads.

As always, we recommend that you backup your database and files on your webserver(s) now and before you run any updates, the cleaning script, or apply any other patches.

If you need our assistance to update your gallery to this newest 2.4.2 version, or to run the clean.php script, you can purchase the upgrade service (http://store.yahoo.com/techimo/photlic.html) and we will perform these tasks for you.

Please contact us (http://www.photopost.com/ppost_contact.pl) should you have any questions.

Michael P
January 9th, 2008, 08:58 AM
This will rename unwanted files on upload.
This will be added to 2.4.2
- a script to scan for existing files will follow

Edit:
forums\includes\functions_gallery_imageedit.php

Find:
1.0.0 - 2.1
$filename = preg_replace("/[^a-z_.0-9-]/i", '', $filename);

2.2, 2.3
$filename = urldecode($filename);
$filename = preg_replace("/[^a-z_.0-9-]/i", '', $filename);

2.4 +
$filename = preg_replace("/[^a-zA-Z0-9\-_\.]+/", "_", $filename);
$filename = strtolower($filename);

Replace:
$ext = substr($filename,strrpos($filename,".")+1);
$name = preg_replace( "/\.\w+$/U", "", $filename );
$name = preg_replace(array('/\.php/', '/\.php3/', '/\.php4/', '/\.php5/', '/\.php6/', '/\.pl/', '/\.cgi/'), "", $name);
$name = preg_replace("#[^a-z0-9_,]#i", " ", $name);
$name = trim(str_replace("_", " ", $name));
$name = str_replace(" ", "_", $name);

$filename = strtolower($name.'.'.$ext);
unset($name, $ext);

Find:
// ############################### Check Image Errors #########################

Above add:
// stripos() needed because stripos is only present on PHP 5
if (!function_exists('stripos')) {
function stripos($haystack,$needle,$offset = 0) {
return(strpos(strtolower($haystack),strtolower($needle),$offset));
}
}
Find:
if (!$imageinfo['catid'])
Above add:
// Build a list of valid file types.
$tempfiletypes = $filetypes["$imageinfo[catid]"];
if ($categorycache["$imageinfo[catid]"]['disext'])
{
foreach ($tempfiletypes AS $ext => $extinfo)
{
if (in_array($extinfo['extensionid'], explode(',', $categorycache["$imageinfo[catid]"]['disext'])))
{
unset($tempfiletypes["$ext"]);
}
}
}

// Hard-coded restricted extensions
$forbidden_extensions = array('.php', '.php3', '.php4', '.php5', '.php6', '.pl', '.cgi');

foreach ($forbidden_extensions AS $forbidden_extension)
{
if (stripos($imageinfo['filename'],$forbidden_extension) !== false)
{
eval('$errors[] = "' . substr($imageinfo['filename'], strpos($imageinfo['filename'], '.') + 1) . ' = ' . fetch_error('adv_gallery_invalid_extension', implode(', ', array_keys($tempfiletypes))) . '";');
}
}

Michael P
January 9th, 2008, 10:57 AM
Please use this thread for discussions about the script or changes:

http://www.photopost.com/forum/showthread.php?t=134923