[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <4126C7FA.9030208@yahoo.com>
From: ckdake at yahoo.com (Chris Kelly)
Subject: Gallery 1.4.4 save_photos.php PHP Insertion
Proof of Concept
> #!/usr/bin/php
> Gallery 1.4.4 save_photos.php PHP Insertion Proof of Concept
> By aCiDBiTS acidbits@...mail.com 17-August-2004
> ++ Vulnerability description ++
>
> Gallery (http://gallery.sf.net/) is a PHP image gallery script. Having
> permission to upload photos in some album and the temporal directory is in
> the webtree, then it is possible to create a file with any extension and
> content. Tested in v 1.4.4, maybe older versions also vulnerable.
>
> When uploading photos with the "URL method", they are saved in the temporal
> directory before processing them. Any file with any content is accepted.
> After downloading, the file is processed (discarded if it is not an image)
> and deleted from the temporal directory.
>
> When the script downloads the file to the temporal directory there's the
> function set_time_limit() that by default waits 30 seconds to abort the
> process if no more data is recieved and the transfer connection isn't
> closed. If the temporal directory is in the webtree, during this 30 seconds
> timeout we can access to the file, executing it.
>
> There's also a "directory disclosure" that I've used to determine if the
> temporal directory is in gallery's webtree. It consists in sending a longer
> filename than permited by the filesystem for the image upload name.
We are disappointed that you made no effort to get in touch with us
about this issue before announcing it on full-disclosure, which
prevented us from having a fix ready at the same time. A fix has been
made and both an update patch (1.4.4-sr1) and full release (1.4.4-pl1,
which also fixes some other minor non-security related bugs) are
available for download as of 11:00pm EST August 20th 2004.
download information:
http://sourceforge.net/project/showfiles.php?group_id=7130
release information:
http://gallery.sourceforge.net/article.php?sid=134
-Chris Kelly
Gallery Project Manager
Powered by blists - more mailing lists