Full Disclosure mailing list archives
[ GLSA 200402-04 ] Gallery <= 1.4.1 and below remote exploit vulnerability
From: Tim Yamin <plasmaroo () gentoo org>
Date: Wed, 11 Feb 2004 21:21:48 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200402-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ~ http://security.gentoo.org - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ~ Severity: Normal ~ Title: Gallery <= 1.4.1 remote exploit vulnerability ~ Date: February 11, 2004 ~ Bugs: #39638 ~ ID: 200402-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== The Gallery developers have discovered a potentially serious security flaw in Gallery 1.3.1, 1.3.2, 1.3.3, 1.4 and 1.4.1 which can a remote exploit of your webserver. Background ========== Gallery is an open source image management system written in PHP. More information is available at http://gallery.sourceforge.net. Description =========== Starting in the 1.3.1 release, Gallery includes code to simulate the behaviour of the PHP 'register_globals' variable in environments where that setting is disabled. It is simulated by extracting the values of the various $HTTP_ global variables into the global namespace. Impact ====== A crafted URL such as http://example.com/gallery/init.php?HTTP_POST_VARS=xxx causes the 'register_globals' simulation code to overwrite the $HTTP_POST_VARS which, when it is extracted, will deliver the given payload. If the payload compromises $GALLERY_BASEDIR then the malicious user can perform a PHP injection exploit and gain remote access to the webserver with PHP user UID access rights. Workaround ========== The workaround for the vulnerability is to replace "init.php" and "setup/init.php" with the files in the following ZIP file: http://prdownloads.sourceforge.net/gallery/patch_1.4.1-to-1.4.1-pl1.zip?download Resolution ========== All users are encouraged to upgrade their gallery installation: ~ # emerge sync ~ # emerge -p ">=app-misc/gallery-1.4.1_p1" ~ # emerge ">=app-misc/gallery-1.4.1_p1" Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security () gentoo org or alternatively, you may file a bug at http://bugs.gentoo.org. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFAKpzqMMXbAy2b2EIRAut+AJ9YoJa90874PYeNjs6z2Kv0Rho9/gCg71wT I8LE+RBEJjdVIC04nz9dKh0= =+v3e -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- [ GLSA 200402-04 ] Gallery <= 1.4.1 and below remote exploit vulnerability Tim Yamin (Feb 11)