Back to list
Remote exploit in Gallery 1.3.1, 1.3.2, 1.3.3, 1.4 and 1.4.1
Jan 27 2004 10:29PM
Bharat Mediratta (bharat menalto com)
(Big thanks to Fred [vrotogel] for discovering this vulnerability
and alerting us before posting )
Gallery is an open source image management system written in PHP.
Learn more about it at http://gallery.sourceforge.net
Starting in release 1.3.1, Gallery includes code to simulate the
behaviour of register_globals in environments where that setting
is disabled. We do this by extracting the values of the various
$HTTP_ global variables into the global namespace. We check
for the presence of certain types of malicious data before doing
this, but our checks are inadequate.
A clever hacker can circumvent our checks by crafting a URL like
this causes our register_global simulation code to overwrite
the HTTP_POST_VARS which, when it in turn is extracted will
deliver the payload. If the payload compromises $GALLERY_BASEDIR
then the malicious user can perform a PHP injection exploit and
gain remote access to your box as the webserver/PHP user id.
This vulnerability affects Gallery releases 1.3.1, 1.3.2, 1.3.3,
1.4 and 1.4.1. It has been fixed in Gallery v1.4.1-pl1, v1.4.2
(not yet released) and in the CVS HEAD. We strongly recommend
that all users upgrade to Gallery v1.4.1-pl1 ASAP.
FIXING THE PROBLEM
There are three different ways you can resolve this problem.
1. Replace init.php and setup/init.php with the files from this zip:
2. Upgrade to Gallery 1.4.1-pl1:
3. Follow the instructions in this news article:
to manually patch the two affected files. (won't take more
than a couple of minutes).
[ reply ]
Copyright 2010, SecurityFocus