Full Disclosure mailing list archives
Re: Gallery 1.4.4 save_photos.php PHP Insertion Proof of Concept
From: Chris Kelly <ckdake () yahoo com>
Date: Fri, 20 Aug 2004 23:56:42 -0400
#!/usr/bin/php Gallery 1.4.4 save_photos.php PHP Insertion Proof of Concept By aCiDBiTS acidbits () hotmail com 17-August-2004 ++ Vulnerability description ++Gallery (http://gallery.sf.net/) is a PHP image gallery script. Having permission to upload photos in some album and the temporal directory is in the webtree, then it is possible to create a file with any extension and content. Tested in v 1.4.4, maybe older versions also vulnerable.When uploading photos with the "URL method", they are saved in the temporal directory before processing them. Any file with any content is accepted. After downloading, the file is processed (discarded if it is not an image) and deleted from the temporal directory.When the script downloads the file to the temporal directory there's the function set_time_limit() that by default waits 30 seconds to abort the process if no more data is recieved and the transfer connection isn't closed. If the temporal directory is in the webtree, during this 30 seconds timeout we can access to the file, executing it.There's also a "directory disclosure" that I've used to determine if the temporal directory is in gallery's webtree. It consists in sending a longer filename than permited by the filesystem for the image upload name.
We are disappointed that you made no effort to get in touch with us about this issue before announcing it on full-disclosure, which prevented us from having a fix ready at the same time. A fix has been made and both an update patch (1.4.4-sr1) and full release (1.4.4-pl1, which also fixes some other minor non-security related bugs) are available for download as of 11:00pm EST August 20th 2004.
download information: http://sourceforge.net/project/showfiles.php?group_id=7130 release information: http://gallery.sourceforge.net/article.php?sid=134 -Chris Kelly Gallery Project Manager _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Gallery 1.4.4 save_photos.php PHP Insertion Proof of Concept acidbits . (Aug 17)
- <Possible follow-ups>
- Re: Gallery 1.4.4 save_photos.php PHP Insertion Proof of Concept Chris Kelly (Aug 20)
- Re: Re: Gallery 1.4.4 save_photos.php PHP Insertion Proof of Concept da m0nk3y (Aug 23)