SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Multimedia)  >   Gallery Vendors:   Gallery Project
Gallery Image Management Software Lets Local Users Create or Modify Images
SecurityTracker Alert ID:  1006066
SecurityTracker URL:  http://securitytracker.com/id/1006066
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Feb 10 2003
Impact:   Modification of user information
Exploit Included:  Yes  
Version(s): 1.3.3
Description:   An access control vulnerability was reported in the Gallery image management software. A local user can create, modify, or delete images in an album directory.

It is reported that the software is configured so that the image album directories are user writable by the web server process. A local user with the ability to write and execute CGI scripts can create a CGI script and have the web daemon execute the CGI to manipulate the image files.

Impact:   A local user can create, modify, or delete images.
Solution:   No solution was available at the time of this entry.
Vendor URL:  gallery.sourceforge.net (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Vendor Responds) Re: Gallery Image Management Software Lets Local Users Create or Modify Images
The vendor has responded to indicate that this is not a flaw in Gallery, but an inherent characteristic of shared-servers.



 Source Message Contents

Subject:  Gallery 1.3.3


--=-tiOkxL0KH/8VjLTce2JT
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

Vulnerable: gallery version 1.3.3 (other versions not tested)
Url: gallery.sf.net

Local exploit.

Gallery has a security hole where any other user on the same webserver
can create, modify or destroy photos in a given album directory.

Also Gallery requires that you turn off safe mode.

Each gallery setup needs a temp directory and an album directory.

Gallery accesses the album directory in a manner that requires
permissions of 755.

eg:
drwxr-xr-x   5 www   wheel   512 Feb  9 16:02 albums

and inside albums:=20
ls -l
total 16
drwxrwxr-x  2 www  wheel  3584 Feb  9 16:19 album01
drwxrwxr-x  2 www  wheel  5120 Feb  9 16:25 album02
-rw-r--r--  1 www  wheel    65 Feb  9 16:02 albumdb.dat
-rw-r--r--  1 www  wheel    65 Feb  9 16:02 albumdb.dat.bak
-rw-r--r--  1 www  wheel     0 Feb  9 14:05 albumdb.dat.lock
-rw-r--r--  1 www  wheel    11 Feb  9 15:42 serial.dat

As a result anyone who has ever set up a gallery before can just have a
cgi running as user www (or whatever user apache is running as) move
files around.

This can be exploited with everything from SSI, perl to even php.

So on shared hosting gallery is a bad idea.


There is no fix for this as of this time.
This is a product of poor default web application security design.

--=20
error <error@lostinthenoise.net>

--=-tiOkxL0KH/8VjLTce2JT
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQA+RvLoKvrsP0edi7gRAn8hAKCXO05yIWkW73h/lXElWPYmfWdZLACgwRAC
lJ1JIlMYqEOI9NitvZNJb7M=
=FBH/
-----END PGP SIGNATURE-----

--=-tiOkxL0KH/8VjLTce2JT--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC