Re: Gallery 1.4 including file vulnerability

From: Bharat Mediratta (
Date: 10/12/03

  • Next message: Terence Runge: "Re: Bad news on RPC DCOM vulnerability"
    To: <>
    Date: Sat, 11 Oct 2003 22:53:10 -0700

    From: "Peter Stöckli" <>
    > -Proof of concept-
    > It is possible to include any php file from a remote host, and execute
    > it on the target's server.

    Thanks for the alert. It's disappointing that you made absolutely
    no effort to contact us before announcing this vulnerability.
    Even 12 hours would have let us have a release ready in time for
    your announcement and you still would have gotten the credit.

    This vulnerability affects a small percentage of Unix gallery users,
    as it can only be exploited when Gallery is in the non-functional
    "configuration mode". However, it does expose Windows users to
    the exploit. Only the following versions of Gallery have the bug:
    * 1.4
    * 1.4-pl1
    * 1.4.1 (unreleased; prior to build 145)

    The problem has been fixed in:
    * 1.4-pl2
    * 1.4.1 (unreleased; build 145)

    We strongly recommend that you upgrade to 1.4-pl2 immediately.
    However, if you don't want to install the entire 1.4-pl2 update, there
    are two simple approches you can take to secure your system:

    1. Delete gallery/setup/index.php
        This will also disable the configuration wizard for you until you
        restore this file or upgrade to a secure release.


    2. Open gallery/setup/index.php in a text editor and change the
        following lines:

            if (!isset($GALLERY_BASEDIR)) {
              $GALLERY_BASEDIR = '../';

        to this:

           $GALLERY_BASEDIR = '../';

        Note that all we are doing is deleting two lines of code.

    Bharat Mediratta
    Gallery Development Team

  • Next message: Terence Runge: "Re: Bad news on RPC DCOM vulnerability"