lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <4126C7FA.9030208@yahoo.com>
From: ckdake at yahoo.com (Chris Kelly)
Subject: Gallery 1.4.4 save_photos.php PHP Insertion
 Proof of Concept 

> #!/usr/bin/php
> 	Gallery 1.4.4 save_photos.php PHP Insertion Proof of Concept
> 	By aCiDBiTS          acidbits@...mail.com          17-August-2004
> ++  Vulnerability description  ++
> 
> 	Gallery (http://gallery.sf.net/) is a PHP image gallery script. Having 
> permission to upload photos in some album and the temporal directory is in 
> the webtree, then it is possible to create a file with any extension and 
> content. Tested in v 1.4.4, maybe older versions also vulnerable.
> 
> 	When uploading photos with the "URL method", they are saved in the temporal 
> directory before processing them. Any file with any content is accepted. 
> After downloading, the file is processed (discarded if it is not an image) 
> and deleted from the temporal directory.
> 
> 	When the script downloads the file to the temporal directory there's the 
> function set_time_limit() that by default waits 30 seconds to abort the 
> process if no more data is recieved and the transfer connection isn't 
> closed. If the temporal directory is in the webtree, during this 30 seconds 
> timeout we can access to the file, executing it.
> 
> 	There's also a "directory disclosure" that I've used to determine if the 
> temporal directory is in gallery's webtree.  It consists in sending a longer 
> filename than permited by the filesystem for the image upload name.

We are disappointed that you made no effort to get in touch with us 
about this issue before announcing it on full-disclosure, which 
prevented us from having a fix ready at the same time.  A fix has been 
made and both an update patch (1.4.4-sr1) and full release (1.4.4-pl1, 
which also fixes some other minor non-security related bugs) are 
available for download as of 11:00pm EST August 20th 2004.

download information:
http://sourceforge.net/project/showfiles.php?group_id=7130

release information:
http://gallery.sourceforge.net/article.php?sid=134

-Chris Kelly
Gallery Project Manager


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ