Re: Gallery 1.4 including file vulnerability

From: Bharat Mediratta (bharat_at_menalto.com)
Date: 10/12/03

  • Next message: Terence Runge: "Re: Bad news on RPC DCOM vulnerability" 
    To: <bugtraq@securityfocus.com>
Date: Sat, 11 Oct 2003 22:53:10 -0700

    From: "Peter Stöckli" <pcs@rootquest.com>
    ...
    > -Proof of concept-
    > It is possible to include any php file from a remote host, and execute
    > it on the target's server.

    Thanks for the alert. It's disappointing that you made absolutely
    no effort to contact us before announcing this vulnerability.
    Even 12 hours would have let us have a release ready in time for
    your announcement and you still would have gotten the credit.

    This vulnerability affects a small percentage of Unix gallery users,
    as it can only be exploited when Gallery is in the non-functional
    "configuration mode". However, it does expose Windows users to
    the exploit. Only the following versions of Gallery have the bug:
    * 1.4
    * 1.4-pl1
    * 1.4.1 (unreleased; prior to build 145)

    The problem has been fixed in:
    * 1.4-pl2
      http://sf.net/project/showfiles.php?group_id=7130&release_id=184028
    * 1.4.1 (unreleased; build 145)

    We strongly recommend that you upgrade to 1.4-pl2 immediately.
    However, if you don't want to install the entire 1.4-pl2 update, there
    are two simple approches you can take to secure your system:

    1. Delete gallery/setup/index.php
        This will also disable the configuration wizard for you until you
        restore this file or upgrade to a secure release.

         --or--

    2. Open gallery/setup/index.php in a text editor and change the
        following lines:

            if (!isset($GALLERY_BASEDIR)) {
              $GALLERY_BASEDIR = '../';
            }

        to this:

           $GALLERY_BASEDIR = '../';

        Note that all we are doing is deleting two lines of code.

    regards,
    Bharat Mediratta
    Gallery Development Team

  • Next message: Terence Runge: "Re: Bad news on RPC DCOM vulnerability"

    Relevant Pages

    • Re: Gallery hosting?
      ... (I think it was because the upgrade went from 2.0.x to 2.2.4 and something ... gallery for my friend and keep it updated and backed up. ... your host. ...
      (uk.net.web.authoring)
    • [Full-disclosure] [SECURITY] [DSA 879-1] New gallery packages fix privilege escalation
      ... A bug in gallery has been discoverd that grants all registrated ... We recommend that you upgrade your gallery package. ... If you are using the apt-get package manager, ... Debian GNU/Linux 3.1 alias sarge ...
      (Full-Disclosure)
    • [SECURITY] [DSA 879-1] New gallery packages fix privilege escalation
      ... A bug in gallery has been discoverd that grants all registrated ... We recommend that you upgrade your gallery package. ... If you are using the apt-get package manager, ... Debian GNU/Linux 3.1 alias sarge ...
      (Bugtraq)
    • Gallery hosting?
      ... (I think it was because the upgrade went from 2.0.x to 2.2.4 and something ... gallery for my friend and keep it updated and backed up. ... your host. ...
      (uk.net.web.authoring)
    • Re: Worsley AAOR
      ... the gallery has a board over the hole into the drop but there are ... nails/glass/sharps everwhere biggest problem i see is kids starting fires ... > owners not to secure it, especially as they have been notified that it is ... > and will soon be wrecked and not worth preserving. ...
      (uk.rec.subterranea)