SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Multimedia)  >   Gallery Vendors:   Gallery Project
'Gallery' Web-based Image Gallery Software Input Validation Flaw Lets Remote Users Execute Arbitrary Commands on the System
SecurityTracker Alert ID:  1004918
SecurityTracker URL:  http://securitytracker.com/id/1004918
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 1 2002
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 1.3.1
Description:   An input validation flaw was reported in Gallery. A remote user may be able to execute arbitrary commands with the privileges of the web server.

It was reported that a remote user could pass the GALLERY_BASEDIR variable to possibly execute commands with the user privileges of the web server.

Also, a remote user could issue a specially crafted link to a slideshow to avoid authentication requirements and access the image gallery (if the album name is known). A demonstration exploit URL is provided:

http://server:port/gallery/slideshow.php?set_albumName=2002-06-01

Impact:   A remote user may be able to execute arbitrary commands with the privileges of the web server.
Solution:   This has reportedly been fixed in version 1.3.1, available at:

http://gallery.menalto.com/modules.php?op=modload&name=phpWiki&file=index&pagename=Download

Vendor URL:  gallery.menalto.com/modules.php?op=modload&name=News&file=index (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Debian Issues Fix) 'Gallery' Web-based Image Gallery Software Input Validation Flaw Lets Remote Users Execute Arbitrary Commands on the System
Debian has released a fix.



 Source Message Contents

Subject:  gallery vulnerability


Debian reported in advisory DSA-138-1 that a flaw was discovered in
gallery.  A remote user could pass the GALLERY_BASEDIR variable to
possibly execute commands under the uid of web-server.

This has reportedly been fixed in upstream version 1.3.1.

In the gallery changelog, two security issues were reported.  [Editor's
note:  It is not clear if the first of these is the same as reported by
Debian.]

In CVS version 1.3.1-cvs-b11:

Fixed SECURITY HOLE in the errors/Xxx templates that allows remote
execution.

In CVS version 1.3.1-cvs-b4:

Fixed a security bug in the slideshow (#564083).

The following text was reported under bug #564083:

---------------------
The link to a slideshow picture as in

http://server:port/gallery/slideshow.php?set_albumName=2002-06-01

does not check the user login (the album has access
permissions). This is in contrast to the link

http://server:port/gallery/view_album.php?set_albumName=2002-06-01

which does not show any pictures if the user is not
logged in.

All pictures can therefore be viewed, an anymous
visitor must only know the album name. 
---------------------

The gallery ChangeLog can be viewed at:

http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/gallery/gallery/ChangeLog


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC