Gallery 'util.php' Include File Bug Lets Remote Users Execute Code Stored on the Local System
SecurityTracker Alert ID: 1015641|
SecurityTracker URL: http://securitytracker.com/id/1015641
(Links to External Site)
Updated: Mar 5 2010|
Original Entry Date: Feb 16 2006
Execution of arbitrary code via local system, Execution of arbitrary code via network, User access via local system, User access via network|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): 1.5 and prior versions|
A vulnerability was reported in Gallery. A remote authenticated user can execute arbitrary code on the target system.|
A remote autheticated user can supply a specially crafted URL to cause the target system to include and execute PHP code from the local system. If the remote authenticated user can upload files to the target system, then arbitrary PHP code can be executed. The PHP code, including operating system commands, will run with the privileges of the target web service.
The vulnerability resides in 'util.php'.
The vendor was notified on December 20, 2005.
Seregorn discovered this vulnerability. Digital Armaments reported the vulnerability.
The original advisory is available at:
A remote authenticated user can execute abitrary code on the target system with the privileges of the target web service.|
The vendor has issued a fix (1.5.2-pl2), available at:|
Vendor URL: gallery.menalto.com/ (Links to External Site)
Input validation error, State error|
|Underlying OS: Linux (Any), UNIX (Any), Windows (Any)|
Source Message Contents
Subject: Digital Armaments Security Advisory 02.14.2006: Gallery web-based|
Gallery web-based photo gallery remote file execution
Digital Armaments advisory is 02.14.2006
Gallery is a slick Web-based photo album written using PHP. It is easy to install, includes a config wizard, and provides users with
the ability to create and maintain their own albums in the album collection via an intuitive Web interface. Photo management includes
automatic thumbnail creation, image resizing, rotation, ordering, captioning and more. Albums can have read, write, and caption permissions
per individual authenticated user for an additional level of privacy.
For further information or detail about the software you can refer to the vendor's homepage:
II. Problem Description
Every user with privileges (who can modify appareance of one Gallery's album) can include any file located on the server. This vulnerability
can be found in util.php. It allows to an attacker to read files on the remote system or execute arbitrary PHP code with apache privileges
if the attacker can upload files.
This problem has been detected on latest development and stable version of gallery 1.5 and on prior version.
IV. Impact analysis
Successful exploitation allow an attacker to execute arbitrary code on the system with apache privileges.
First notification 12.20.2005.
Second notification 01.14.2006.
The vendor answered second notification.
A new patched version is available.
Seregorn - email@example.com is credited with this discovery.
Get paid and get stocks by vulnerability submission
VII. Legal Notices
Redistribution of this alert electronically is allowed. It should not be edited in any way. Reprint the whole is allowed, partial
reprint is not permitted. For any other request please email firstname.lastname@example.org for permission. Disclaimer: The
information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of
the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither
the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of,
or reliance on, this information.