lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Fri, 03 Mar 2006 06:25:22 -0600
From: GulfTech Security Research <security@...ftech.org>
To: Secunia Research <vuln@...unia.com>, moderators@...db.org,
	bugtraq@...urityfocus.com
Subject: Gallery 2 Multiple Vulnerabilities


##########################################################
# GulfTech Security Research               March 02, 2006
##########################################################
# Vendor : Bharat Mediratta
# URL : http://gallery.menalto.com/
# Version : Gallery2 <= 2.0.2
# Risk : Multiple Vulnerabilities
##########################################################


Description:
Gallery2, the open source web based photo album organizer is
one of the most popular php web applications available today.
Gallery2 suffers from a number of vulnerabilities including
IP Spoofing via X_FORWARDED_FOR that may allow a malicious
user to hide their identity, script injection via the faulty
X_FORWARDED_FOR implementation, and also arbitrary file access
which could ultimately lead to the deletion of arbitrary files
on the webserver. A new version of Gallery 2 has been released
and users should upgrade their Gallery 2 installations.



IP Spoofing:
There is an issue with Gallery2 that allows for users to
perform actions anonymously by spoofing their identity with
a bogus X_FORWARDED_FOR HTTP Header.

function getRemoteHostAddress() {
if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
     $ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
} else if (isset($_SERVER['HTTP_CLIENT_IP'])) {
     $ip = $_SERVER['HTTP_CLIENT_IP'];
} else if (isset($_SERVER['REMOTE_ADDR'])) {
     $ip = $_SERVER['REMOTE_ADDR'];
} else {
     return null;
}
return $ip;
}

The above code is responsible for the previously mentioned
problem because it allows the possibly user supplied header
X_FORWARDED_FOR to take precedence over REMOTE_ADDR.
Unfortunately this same issues can be levereged to carry out
more sinister attacks.



Script Injection:
Because the IP Address returned by Gallery2 is thought to be
safe there are a number of other issues that can be exploited
by sending a bogus X_FORWARDED_FOR header. For example, when
adding comments in an album the user's IP is logged and
displayed along with said comment. This could be used to execute
arbitrary client side code such as JavaScript in the context of
a user's (admin, maybe?) browser.



Arbitrary File Access:
Gallery2 is vulnerable to an arbitrary file access issue within
it's session handling class. This vulnerability allows for an
attacker to possibly access certain file information, and delete
arbitrary files on the webserver.

function _isSessionValid() {
global $gallery;
$platform = $gallery->getPlatform();

if (!empty($this->_sessionId)) {
     /* Check if the session has expired */
     $sessionFile = $gallery->getConfig('data.gallery.sessions') . 
$this->_sessionId;
     if ($platform->file_exists($sessionFile)) {
	list ($ret, $lifetime) =
	    GalleryCoreApi::getPluginParameter('module', 'core', 
'session.lifetime');
	if ($ret->isError()) {
	    return array($ret->wrap(__FILE__, __LINE__), null);
	}
	list ($ret, $inactivityTimeout) =
	    GalleryCoreApi::getPluginParameter('module', 'core',
					       'session.inactivityTimeout');
	if ($ret->isError()) {
	    return array($ret->wrap(__FILE__, __LINE__), null);
	}
	$lifetimeCutoff = time() - $lifetime;
	$inactiveCutoff = time() - $inactivityTimeout;
	$statData = $platform->stat($sessionFile);
	if ($statData['mtime'] < $inactiveCutoff || $statData['ctime'] < 
$lifetimeCutoff) {
	    /* The session has timed out, remove it */
	    $platform->unlink($sessionFile);
	} else {
	    return array(GalleryStatus::success(), true);
	}
     } else {
	return array(GalleryStatus::success(), true);
     }
}
return array(GalleryStatus::success(), false);
}

The above code is the function from the Gallery2 session class that
checks to see whether or not a session is valid. Unfortunately this
code, like most of the code in the session class relies on the value
of $this->_sessionId to be valid. However, at the very beginning of
the session class a check is made for a session cookie, and if that
cookie is present then it is blindly loaded into _sessionId with
absolutely no sanitation.

* Sanitize the session id (which may have come from user input) to
* avoid possibly writing outside the session storage dir.
*/
$this->_sessionId = preg_replace('/[^a-zA-Z0-9]/', '', $this->_sessionId);

The above code DOES sanitize the session id, but not until after the
session id is already sent to the _isSessionValid() function. So, it
is no problem for an attacker to specify a path outside of the web
directory, and because there is nothing following the user supplied
data within the constructed $sessionFile path, there is no need to
specify a null byte. So, this works with magic quotes on as well as
with magic quotes off. This could lead to other attacks such as
gaining access to a restricted web directory by deleting a .htaccess
file using the previously mentioned vulnerability.



Solution:
Thanks to Bharat Mediratta for a very prompt resolution to these
issues. A new version of Gallery 2 has been released today.

http://gallery.menalto.com/gallery_2.0.3_released

Users should upgrade their Gallery 2 installations as soon as
possible to the latest available version.



Credits:
James Bercegay of the GulfTech Security Research Team



Related Info:
The original advisory can be found at the following location
http://www.gulftech.org/?node=research&article_id=00106-03022006

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ