SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Multimedia)  >   Gallery Vendors:   Gallery Project
Gallery Input Validation Bug in Processing Internal Cache Files Lets Remote Users Traverse the Directory
SecurityTracker Alert ID:  1015060
SecurityTracker URL:  http://securitytracker.com/id/1015060
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Oct 14 2005
Impact:   Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 2.0
Description:   A vulnerability was reported in Gallery. A remote user can view files on the target system.

The 'main.php' script does not properly validate user-supplied input in the 'g2_itemID' parameter. A remote user can supply a specially crafted parameter value containing '../' directory traversal characters to view arbitrary files on the target system.

The flaw resides in the internal cache processing code.

A demonstration exploit URL is provided:

http://[target]/gallery2/main.php?g2_itemId=/../../../../../../../etc/aliases%00

The vendor was notified on October 12, 2005.

Michael Dipper discovered this vulnerability.

Impact:   A remote user can view files on the target system with the privileges of the target web service.
Solution:   The vendor has issued a fixed version (2.0.1), available at:

http://codex.gallery2.org/Gallery2:Download

Patches for 2.0 are also available at that location.

Vendor URL:  gallery.menalto.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Gallery 2.x Remote File Access Vulnerability


Vendor information:

    Gallery is an open source web based photo album organizer.  The
    2.x is a newly released complete rewrite of the application.

    Url: http://gallery.menalto.com
    Contact: gallery@menalto.com

Vulnerability class:

    Input sanitization

Details:

    Michael Dipper has discovered an input sanitization issue that
    allows users to specially craft a url to access any file on the
    server that is accessible by the webserver.  The vulnerability
    may be used by any visitor to the Gallery, no user login is
    required.

Exploit:

    The vulnerability may be exploited by accessing a URL like this:

      http://example.com/gallery2/main.php
         ?g2_itemId=/../../../../../../../etc/aliases%00

    Internally the Gallery caching code uses this variable to
    construct a relative filename to a cache file.  Using ../..
    elements in the path allow you to escape the Gallery directory
    and view files that are not regularly available via the webserver.

Solution:

    The Gallery team has released Gallery 2.0.1 which resolves this
    security issue by validating the input variable, modifying the
    caching code to prevent it from generating paths with '..' in
    them, and modifying the choke point on included files to prevent
    it from loading files that contain '..' in them.

    Download 2.0.1 (including patch files from 2.0) from here:
      http://codex.gallery2.org/Gallery2:Download

    A big thanks to Michael Dipper for bringing this to our attention
    and providing us with lead time to make a patch available before
    fully disclosing it.

Vulnerable:
    Gallery 2.0
    Gallery 2.0 Beta 3
    Gallery 2.0 Beta 2
    Gallery 2.0 Beta 1
    Gallery 2.0 Alpha 4
    Gallery 2.0 Alpha 3
    Gallery 2.0 Alpha 2
    Gallery 2.0 Alpha 1
    CVS HEAD before 2005-10-13

Not Vulnerable:
    Gallery 1.x
    Gallery Remote (all versions)

Credit:
    Michael Dipper
    http://dipper.info/

History:
   20051012 - Initial discovery and reporting
              (Michael Dipper, micha-at-dipper.info )
   20051013 - Vendor fix released

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC