lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Sat, 11 Oct 2003 22:53:10 -0700
From: "Bharat Mediratta" <bharat@...alto.com>
To: <bugtraq@...urityfocus.com>
Subject: Re: Gallery 1.4 including file vulnerability


From: "Peter Stöckli" <pcs@...tquest.com>
...
> -Proof of concept-
> It is possible to include any php file from a remote host, and execute
> it on the target's server.

Thanks for the alert.  It's disappointing that you made absolutely
no effort to contact us before announcing this vulnerability.
Even 12 hours would have let us have a release ready in time for
your announcement and you still would have gotten the credit.

This vulnerability affects a small percentage of Unix gallery users,
as it can only be exploited when Gallery is in the non-functional
"configuration mode".  However, it does expose Windows users to
the exploit.  Only the following versions of Gallery have the bug:
* 1.4
* 1.4-pl1
* 1.4.1 (unreleased; prior to build 145)

The problem has been fixed in:
* 1.4-pl2
  http://sf.net/project/showfiles.php?group_id=7130&release_id=184028
* 1.4.1 (unreleased; build 145)

We strongly recommend that you upgrade to 1.4-pl2 immediately.
However, if you don't want to install the entire 1.4-pl2 update, there
are two simple approches you can take to secure your system:

1.  Delete gallery/setup/index.php
    This will also disable the configuration wizard for you until you
    restore this file or upgrade to a secure release.

     --or--

2.  Open gallery/setup/index.php in a text editor and change the
    following lines:

        if (!isset($GALLERY_BASEDIR)) {
          $GALLERY_BASEDIR = '../';
        }

    to this:

       $GALLERY_BASEDIR = '../';

    Note that all we are doing is deleting two lines of code.

regards,
Bharat Mediratta
Gallery Development Team

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ