[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <945d9cc80408231158788b4e38@mail.gmail.com>
From: da.m0nk3y at gmail.com (da m0nk3y)
Subject: Gallery 1.4.4 save_photos.php PHP Insertion Proof of Concept
On Fri, 20 Aug 2004 23:56:42 -0400, Chris Kelly <ckdake@...oo.com> wrote:
> > #!/usr/bin/php
> > Gallery 1.4.4 save_photos.php PHP Insertion Proof of Concept
> > By aCiDBiTS acidbits@...mail.com 17-August-2004
> > ++ Vulnerability description ++
> >
> > Gallery (http://gallery.sf.net/) is a PHP image gallery script. Having
> > permission to upload photos in some album and the temporal directory is in
> > the webtree, then it is possible to create a file with any extension and
> > content. Tested in v 1.4.4, maybe older versions also vulnerable.
> >
> > When uploading photos with the "URL method", they are saved in the temporal
> > directory before processing them. Any file with any content is accepted.
> > After downloading, the file is processed (discarded if it is not an image)
> > and deleted from the temporal directory.
> >
> > When the script downloads the file to the temporal directory there's the
> > function set_time_limit() that by default waits 30 seconds to abort the
> > process if no more data is recieved and the transfer connection isn't
> > closed. If the temporal directory is in the webtree, during this 30 seconds
> > timeout we can access to the file, executing it.
> >
> > There's also a "directory disclosure" that I've used to determine if the
> > temporal directory is in gallery's webtree. It consists in sending a longer
> > filename than permited by the filesystem for the image upload name.
>
> We are disappointed that you made no effort to get in touch with us
> about this issue before announcing it on full-disclosure, which
> prevented us from having a fix ready at the same time.
raped
> A fix has been
> made and both an update patch (1.4.4-sr1) and full release (1.4.4-pl1,
> which also fixes some other minor non-security related bugs) are
> available for download as of 11:00pm EST August 20th 2004.
>
> download information:
> http://sourceforge.net/project/showfiles.php?group_id=7130
>
> release information:
> http://gallery.sourceforge.net/article.php?sid=134
>
> -Chris Kelly
> Gallery Project Manager
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
AcIdBiTS owned Gallery.sourceforge.net
Powered by blists - more mailing lists