Announcement

Collapse
No announcement yet.

Gallery exploit

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Gallery exploit

    For all you Gallery users..

    -----Original Message-----
    From: Bharat Mediratta [mailto:bharat@menalto.com]
    Sent: Tuesday, January 27, 2004 2:30 PM
    To: bugtraq@securityfocus.com
    Subject: Remote exploit in Gallery 1.3.1, 1.3.2, 1.3.3, 1.4 and 1.4.1


    (Big thanks to Fred [vrotogel] for discovering this vulnerability and alerting us before posting )

    ___________________
    PROBLEM DESCRIPTION

    Gallery is an open source image management system written in PHP. Learn more about it at http://gallery.sourceforge.net

    Starting in release 1.3.1, Gallery includes code to simulate the behaviour of register_globals in environments where that setting is disabled. We do this by extracting the values of the various $HTTP_ global variables into the global namespace. We check for the presence of certain types of malicious data before doing this, but our checks are inadequate.

    A clever hacker can circumvent our checks by crafting a URL like
    this:

    http://example.com/gallery/init.php?HTTP_POST_VARS=xxx

    this causes our register_global simulation code to overwrite the HTTP_POST_VARS which, when it in turn is extracted will deliver the payload. If the payload compromises $GALLERY_BASEDIR then the malicious user can perform a PHP injection exploit and gain remote access to your box as the webserver/PHP user id.

    _________________
    VERSIONS AFFECTED

    This vulnerability affects Gallery releases 1.3.1, 1.3.2, 1.3.3, 1.4 and 1.4.1. It has been fixed in Gallery v1.4.1-pl1, v1.4.2 (not yet released) and in the CVS HEAD. We strongly recommend that all users upgrade to Gallery v1.4.1-pl1 ASAP.

    __________________
    FIXING THE PROBLEM

    There are three different ways you can resolve this problem.

    1. Replace init.php and setup/init.php with the files from this zip:

    http://prdownloads.sourceforge.net/g...1.zip?download

    -or-

    2. Upgrade to Gallery 1.4.1-pl1:

    http://sourceforge.net/project/showf...ease_id=212324


    -or-

    3. Follow the instructions in this news article:
    http://gallery.sourceforge.net/article.php?sid=107
    to manually patch the two affected files. (won't take more
    than a couple of minutes).

  • #2
    Originally posted by telco88
    It has been fixed in Gallery v1.4.1-pl1, v1.4.2 (not yet released) and in the CVS HEAD. We strongly recommend that all users upgrade to Gallery v1.4.1-pl1 ASAP.
    ...this does include 1.4.2rc1 I assume?
    if it gets me nowhere, I'll go there proud; and I'm gonna go there free.

    Comment


    • #3
      read about this the other day when i was grabbing the latest build for another reason... good thing I did!
      "Those who would willingly trade essential liberty for temporary security are deserving of neither." --Benjamin Franklin

      Comment


      • #4
        I still know PHP zealots who think that register globals isn't a bad idea... personally I don't want anyone with HTTP access to my PHP scripts polluting my global namespace.

        Although from this, it seems like moving away from register globals is equally as difficult...
        45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B0
        45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B1
        [ redacted ]

        Comment

        Working...
        X