lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <945d9cc80408231158788b4e38@mail.gmail.com>
From: da.m0nk3y at gmail.com (da m0nk3y)
Subject: Gallery 1.4.4 save_photos.php PHP Insertion Proof of Concept

On Fri, 20 Aug 2004 23:56:42 -0400, Chris Kelly <ckdake@...oo.com> wrote:
> > #!/usr/bin/php
> >       Gallery 1.4.4 save_photos.php PHP Insertion Proof of Concept
> >       By aCiDBiTS          acidbits@...mail.com          17-August-2004
> > ++  Vulnerability description  ++
> >
> >       Gallery (http://gallery.sf.net/) is a PHP image gallery script. Having
> > permission to upload photos in some album and the temporal directory is in
> > the webtree, then it is possible to create a file with any extension and
> > content. Tested in v 1.4.4, maybe older versions also vulnerable.
> >
> >       When uploading photos with the "URL method", they are saved in the temporal
> > directory before processing them. Any file with any content is accepted.
> > After downloading, the file is processed (discarded if it is not an image)
> > and deleted from the temporal directory.
> >
> >       When the script downloads the file to the temporal directory there's the
> > function set_time_limit() that by default waits 30 seconds to abort the
> > process if no more data is recieved and the transfer connection isn't
> > closed. If the temporal directory is in the webtree, during this 30 seconds
> > timeout we can access to the file, executing it.
> >
> >       There's also a "directory disclosure" that I've used to determine if the
> > temporal directory is in gallery's webtree.  It consists in sending a longer
> > filename than permited by the filesystem for the image upload name.
> 
> We are disappointed that you made no effort to get in touch with us
> about this issue before announcing it on full-disclosure, which
> prevented us from having a fix ready at the same time.  

raped

> A fix has been
> made and both an update patch (1.4.4-sr1) and full release (1.4.4-pl1,
> which also fixes some other minor non-security related bugs) are
> available for download as of 11:00pm EST August 20th 2004.
>
> download information:
> http://sourceforge.net/project/showfiles.php?group_id=7130
> 
> release information:
> http://gallery.sourceforge.net/article.php?sid=134
> 
> -Chris Kelly
> Gallery Project Manager
> 
> 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 
AcIdBiTS owned Gallery.sourceforge.net


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ