http://osvdb.org/show/osvdb/79477
The software "YVS Image Gallery" seems to be full of security issues. For
example one can have lots of fun with this. Copy from installation.php:
"""
case(isset($_POST['db_name'])):
$host = $_POST['host'];
$db_name = $_POST['db_name'];
$db_user_name = $_POST['db_user_name'];
$db_password = $_POST['db_password'];
$admin_name = $_POST['admin_name'];
$admin_password = $_POST['admin_password'];
$o_host = $_POST['o_host'];
$o_db_name = $_POST['o_db_name'];
$o_db_user_name = $_POST['o_db_user_name'];
$o_db_password = $_POST['o_db_password'];
//read in the file
$file = "../functions/db_connect.php";
$fh = fopen($file, 'r+');
$contents = fread($fh, filesize($file));
//set up the text to change
$text_to_change = array();
$new_text = array();
$text_to_change[] = '$dbhost="'.$o_host.'"';
$text_to_change[] = '$dbuser="'.$o_db_user_name.'"';
$text_to_change[] = '$dbpass="'.$o_db_password.'"';
$text_to_change[] = '$dbname="'.$o_db_name.'"';
$new_text[] = '$dbhost="'.$host.'"';
$new_text[] = '$dbuser="'.$db_user_name.'"';
$new_text[] = '$dbpass="'.$db_password.'"';
$new_text[] = '$dbname="'.$db_name.'"';
$new_contents = str_replace($text_to_change, $new_text, $contents);
fclose($fh);
// Open file to write
$fh = fopen($file, 'r+');
fwrite($fh, $new_contents);
fclose($fh);
//set up new admin user
include '../functions/db_connect.php';
db_connect();
"""
I'll bet this software is not used much, but I can list all problems I can find
if we want to assign CVE-identifiers to cases like these. No contact
information of developer found. Any ideas how to get these fixed or get the
code out of internet. The package is also hosted in here:
http://www.hotscripts.com/listing/yvs-image-gallery/ (and probably others).
- Henri Salo
