Remote exploit in Gallery 1.3.1, 1.3.2, 1.3.3, 1.4 and 1.4.1

From: Bharat Mediratta (bharat_at_menalto.com)
Date: 01/27/04

  • Next message: Ian Farquhar - Network Security Group: "Re: vulnerabilities of postscript printers" 
    To: <bugtraq@securityfocus.com>
Date: Tue, 27 Jan 2004 14:29:52 -0800

    (Big thanks to Fred [vrotogel] for discovering this vulnerability
     and alerting us before posting )

    ___________________
    PROBLEM DESCRIPTION

    Gallery is an open source image management system written in PHP.
    Learn more about it at http://gallery.sourceforge.net

    Starting in release 1.3.1, Gallery includes code to simulate the
    behaviour of register_globals in environments where that setting
    is disabled. We do this by extracting the values of the various
    $HTTP_ global variables into the global namespace. We check
    for the presence of certain types of malicious data before doing
    this, but our checks are inadequate.

    A clever hacker can circumvent our checks by crafting a URL like
    this:

        http://example.com/gallery/init.php?HTTP_POST_VARS=xxx

    this causes our register_global simulation code to overwrite
    the HTTP_POST_VARS which, when it in turn is extracted will
    deliver the payload. If the payload compromises $GALLERY_BASEDIR
    then the malicious user can perform a PHP injection exploit and
    gain remote access to your box as the webserver/PHP user id.

    _________________
    VERSIONS AFFECTED

    This vulnerability affects Gallery releases 1.3.1, 1.3.2, 1.3.3,
    1.4 and 1.4.1. It has been fixed in Gallery v1.4.1-pl1, v1.4.2
    (not yet released) and in the CVS HEAD. We strongly recommend
    that all users upgrade to Gallery v1.4.1-pl1 ASAP.

    __________________
    FIXING THE PROBLEM

    There are three different ways you can resolve this problem.

    1. Replace init.php and setup/init.php with the files from this zip:

    http://prdownloads.sourceforge.net/gallery/patch_1.4.1-to-1.4.1-pl1.zip?download

         -or-

    2. Upgrade to Gallery 1.4.1-pl1:

    http://sourceforge.net/project/showfiles.php?group_id=7130&package_id=7239&release_id=212324

        -or-

    3. Follow the instructions in this news article:
          http://gallery.sourceforge.net/article.php?sid=107
        to manually patch the two affected files. (won't take more
        than a couple of minutes).

    regards,
    Bharat Mediratta
    Gallery developer

  • Next message: Ian Farquhar - Network Security Group: "Re: vulnerabilities of postscript printers"