Bugtraq mailing list archives
Re: Gallery 1.4 including file vulnerability
From: "Bharat Mediratta" <bharat () menalto com>
Date: Sat, 11 Oct 2003 22:53:10 -0700
From: "Peter Stöckli" <pcs () rootquest com> ...
-Proof of concept- It is possible to include any php file from a remote host, and execute it on the target's server.
Thanks for the alert. It's disappointing that you made absolutely no effort to contact us before announcing this vulnerability. Even 12 hours would have let us have a release ready in time for your announcement and you still would have gotten the credit. This vulnerability affects a small percentage of Unix gallery users, as it can only be exploited when Gallery is in the non-functional "configuration mode". However, it does expose Windows users to the exploit. Only the following versions of Gallery have the bug: * 1.4 * 1.4-pl1 * 1.4.1 (unreleased; prior to build 145) The problem has been fixed in: * 1.4-pl2 http://sf.net/project/showfiles.php?group_id=7130&release_id=184028 * 1.4.1 (unreleased; build 145) We strongly recommend that you upgrade to 1.4-pl2 immediately. However, if you don't want to install the entire 1.4-pl2 update, there are two simple approches you can take to secure your system: 1. Delete gallery/setup/index.php This will also disable the configuration wizard for you until you restore this file or upgrade to a secure release. --or-- 2. Open gallery/setup/index.php in a text editor and change the following lines: if (!isset($GALLERY_BASEDIR)) { $GALLERY_BASEDIR = '../'; } to this: $GALLERY_BASEDIR = '../'; Note that all we are doing is deleting two lines of code. regards, Bharat Mediratta Gallery Development Team
Current thread:
- Gallery 1.4 including file vulnerability Stöckli (Oct 11)
- RE: Gallery 1.4 including file vulnerability Brent Meshier (Oct 13)
- Re: Gallery 1.4 including file vulnerability Bharat Mediratta (Oct 13)