From: "Peter Stöckli" <pcs (at) rootquest (dot) com [email concealed]>
...
> -Proof of concept-
> It is possible to include any php file from a remote host, and execute
> it on the target's server.
Thanks for the alert. It's disappointing that you made absolutely
no effort to contact us before announcing this vulnerability.
Even 12 hours would have let us have a release ready in time for
your announcement and you still would have gotten the credit.
This vulnerability affects a small percentage of Unix gallery users,
as it can only be exploited when Gallery is in the non-functional
"configuration mode". However, it does expose Windows users to
the exploit. Only the following versions of Gallery have the bug:
* 1.4
* 1.4-pl1
* 1.4.1 (unreleased; prior to build 145)
The problem has been fixed in:
* 1.4-pl2
http://sf.net/project/showfiles.php?group_id=7130&release_id=184028
* 1.4.1 (unreleased; build 145)
We strongly recommend that you upgrade to 1.4-pl2 immediately.
However, if you don't want to install the entire 1.4-pl2 update, there
are two simple approches you can take to secure your system:
1. Delete gallery/setup/index.php
This will also disable the configuration wizard for you until you
restore this file or upgrade to a secure release.
--or--
2. Open gallery/setup/index.php in a text editor and change the
following lines:
if (!isset($GALLERY_BASEDIR)) {
$GALLERY_BASEDIR = '../';
}
to this:
$GALLERY_BASEDIR = '../';
Note that all we are doing is deleting two lines of code.
regards,
Bharat Mediratta
Gallery Development Team
...
> -Proof of concept-
> It is possible to include any php file from a remote host, and execute
> it on the target's server.
Thanks for the alert. It's disappointing that you made absolutely
no effort to contact us before announcing this vulnerability.
Even 12 hours would have let us have a release ready in time for
your announcement and you still would have gotten the credit.
This vulnerability affects a small percentage of Unix gallery users,
as it can only be exploited when Gallery is in the non-functional
"configuration mode". However, it does expose Windows users to
the exploit. Only the following versions of Gallery have the bug:
* 1.4
* 1.4-pl1
* 1.4.1 (unreleased; prior to build 145)
The problem has been fixed in:
* 1.4-pl2
http://sf.net/project/showfiles.php?group_id=7130&release_id=184028
* 1.4.1 (unreleased; build 145)
We strongly recommend that you upgrade to 1.4-pl2 immediately.
However, if you don't want to install the entire 1.4-pl2 update, there
are two simple approches you can take to secure your system:
1. Delete gallery/setup/index.php
This will also disable the configuration wizard for you until you
restore this file or upgrade to a secure release.
--or--
2. Open gallery/setup/index.php in a text editor and change the
following lines:
if (!isset($GALLERY_BASEDIR)) {
$GALLERY_BASEDIR = '../';
}
to this:
$GALLERY_BASEDIR = '../';
Note that all we are doing is deleting two lines of code.
regards,
Bharat Mediratta
Gallery Development Team
[ reply ]