Full Disclosure mailing list archives

Re: Re: Gallery 1.4.4 save_photos.php PHP Insertion Proof of Concept

From: da m0nk3y <da.m0nk3y () gmail com>
Date: Mon, 23 Aug 2004 11:58:53 -0700

On Fri, 20 Aug 2004 23:56:42 -0400, Chris Kelly <ckdake () yahoo com> wrote:

#!/usr/bin/php
      Gallery 1.4.4 save_photos.php PHP Insertion Proof of Concept
      By aCiDBiTS          acidbits () hotmail com          17-August-2004
++  Vulnerability description  ++

      Gallery (http://gallery.sf.net/) is a PHP image gallery script. Having
permission to upload photos in some album and the temporal directory is in
the webtree, then it is possible to create a file with any extension and
content. Tested in v 1.4.4, maybe older versions also vulnerable.

      When uploading photos with the "URL method", they are saved in the temporal
directory before processing them. Any file with any content is accepted.
After downloading, the file is processed (discarded if it is not an image)
and deleted from the temporal directory.

      When the script downloads the file to the temporal directory there's the
function set_time_limit() that by default waits 30 seconds to abort the
process if no more data is recieved and the transfer connection isn't
closed. If the temporal directory is in the webtree, during this 30 seconds
timeout we can access to the file, executing it.

      There's also a "directory disclosure" that I've used to determine if the
temporal directory is in gallery's webtree.  It consists in sending a longer
filename than permited by the filesystem for the image upload name.


We are disappointed that you made no effort to get in touch with us
about this issue before announcing it on full-disclosure, which
prevented us from having a fix ready at the same time.


raped

A fix has been
made and both an update patch (1.4.4-sr1) and full release (1.4.4-pl1,
which also fixes some other minor non-security related bugs) are
available for download as of 11:00pm EST August 20th 2004.

download information:
http://sourceforge.net/project/showfiles.php?group_id=7130

release information:
http://gallery.sourceforge.net/article.php?sid=134

-Chris Kelly
Gallery Project Manager



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

AcIdBiTS owned Gallery.sourceforge.net

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Gallery 1.4.4 save_photos.php PHP Insertion Proof of Concept acidbits . (Aug 17)
- <Possible follow-ups>
- Re: Gallery 1.4.4 save_photos.php PHP Insertion Proof of Concept Chris Kelly (Aug 20)
  - Re: Re: Gallery 1.4.4 save_photos.php PHP Insertion Proof of Concept da m0nk3y (Aug 23)