[<prev] [next>] [day] [month] [year] [list]
Message-ID: <434F6BE5.1050002@menalto.com>
Date: Fri, 14 Oct 2005 01:27:17 -0700
From: Bharat Mediratta <bharat@...alto.com>
To: bugtraq@...urityfocus.com
Cc: gallery-core@...ts.sourceforge.net,
Michael Dipper <micha@...per.info>
Subject: Gallery 2.x Remote File Access Vulnerability
Vendor information:
Gallery is an open source web based photo album organizer. The
2.x is a newly released complete rewrite of the application.
Url: http://gallery.menalto.com
Contact: gallery@...alto.com
Vulnerability class:
Input sanitization
Details:
Michael Dipper has discovered an input sanitization issue that
allows users to specially craft a url to access any file on the
server that is accessible by the webserver. The vulnerability
may be used by any visitor to the Gallery, no user login is
required.
Exploit:
The vulnerability may be exploited by accessing a URL like this:
http://example.com/gallery2/main.php
?g2_itemId=/../../../../../../../etc/aliases%00
Internally the Gallery caching code uses this variable to
construct a relative filename to a cache file. Using ../..
elements in the path allow you to escape the Gallery directory
and view files that are not regularly available via the webserver.
Solution:
The Gallery team has released Gallery 2.0.1 which resolves this
security issue by validating the input variable, modifying the
caching code to prevent it from generating paths with '..' in
them, and modifying the choke point on included files to prevent
it from loading files that contain '..' in them.
Download 2.0.1 (including patch files from 2.0) from here:
http://codex.gallery2.org/Gallery2:Download
A big thanks to Michael Dipper for bringing this to our attention
and providing us with lead time to make a patch available before
fully disclosing it.
Vulnerable:
Gallery 2.0
Gallery 2.0 Beta 3
Gallery 2.0 Beta 2
Gallery 2.0 Beta 1
Gallery 2.0 Alpha 4
Gallery 2.0 Alpha 3
Gallery 2.0 Alpha 2
Gallery 2.0 Alpha 1
CVS HEAD before 2005-10-13
Not Vulnerable:
Gallery 1.x
Gallery Remote (all versions)
Credit:
Michael Dipper
http://dipper.info/
History:
20051012 - Initial discovery and reporting
(Michael Dipper, micha-at-dipper.info )
20051013 - Vendor fix released
Powered by blists - more mailing lists