Gallery v1.3.2 allows remote exploit (fixed in 1.3.3)

From: Bharat Mediratta (bharat@menalto.com)
Date: 12/28/02

Next message: eflorio@edmaster.it: "Telindus 112x ADSL Router - Weak Password Encryption"

Previous message: phrackstaff@phrack.org: "PHRACK #60 HAS BEEN RELEASED"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Bharat Mediratta" <bharat@menalto.com>
To: <bugtraq@securityfocus.com>
Date: Fri, 27 Dec 2002 23:43:42 -0800

___________________
PROBLEM DESCRIPTION

Gallery is an open source image management system. Learn more about
it at http://gallery.sourceforge.net

Gallery v1.3.2 introduced a new feature that allows users to publish
images to their website-based Gallery using the Windows XP Publishing
subsystem. This feature introduced a bug that can allow a malicious
user to craft a URL such that they can get remote access to web
server, as the user running the web server.

Many thanks to Michael Graff for noticing this hole and bringing it to
the attention of the Gallery dev team. It's nice to see folks doing
the right thing with dangerous information.

_________________
VERSIONS AFFECTED

The only affected official release is Gallery 1.3.2. However, for
those of you tracking Gallery in CVS, this hole was introduced in
Gallery 1.3.2-cvs-b27 and was closed in Gallery 1.3.3-cvs-b6.

_____
PATCH

The fix to this problem is very simple. Pursue one of the following
three options:

1. Upgrade to v1.3.3, available now on the Gallery website:
http://gallery.sourceforge.net/download.php

-- or --

2. Edit your publish_xp_docs.php and near the top of the file, modify
the code so that this line:

<?php require($GALLERY_BASEDIR . "init.php"); ?>

appears after this block:

        <?php
        // Hack prevention.
        if (!empty($HTTP_GET_VARS["GALLERY_BASEDIR"]) ||
            !empty($HTTP_POST_VARS["GALLERY_BASEDIR"]) ||
            !empty($HTTP_COOKIE_VARS["GALLERY_BASEDIR"])) {
                print "Security violation\n";
                exit;
        }
        ?>

-- or --

3. Delete publish_xp_docs.php. This will secure your system but will
also disable the Windows XP Publishing feature.

regards,
Bharat Mediratta
Gallery developer

Next message: eflorio@edmaster.it: "Telindus 112x ADSL Router - Weak Password Encryption"
Previous message: phrackstaff@phrack.org: "PHRACK #60 HAS BEEN RELEASED"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: GA AL MS TN OK MO Gallery Wish List & scavenger Hunt
... > The Gallery pages are important too! ... Any sign photos of interest ... Any feature of interest as these galleries can grow to state features. ... covered bridges in GA and the old GA 180 bridge over Wolf Creek in ...
(misc.transport.road)
Re: PHP Image Uploader / Viewer
... >> safe mode, it just loses a feature or two, mainly dealing with how ... Safe mode prevents Gallery from functioning properly. ... I must be remembering a different feature/software ...
(Debian-User)
Gallery XSS security advisory (with fix and patch instructions)
... Gallery is an open source image management system. ... Gallery has a feature that allows users to search their image captions ...
(Bugtraq)
Re: Montage Gallery- NEXT IMAGE BUTTON?
... It's in 2002...its called Slideshow Layout you'll see the choice it's where you chose Montage when setting up a gallery ... > Is this feature in FP 2003? ...
(microsoft.public.frontpage.addins)