Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

[ GLSA 200402-04 ] Gallery <= 1.4.1 and below remote exploit vulnerability

From: Tim Yamin <plasmaroo () gentoo org>
Date: Wed, 11 Feb 2004 21:21:48 +0000
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200402-04
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
~                                            http://security.gentoo.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

~  Severity: Normal
~     Title: Gallery <= 1.4.1 remote exploit vulnerability
~      Date: February 11, 2004
~      Bugs: #39638
~        ID: 200402-04

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

The Gallery developers have discovered a potentially serious security
flaw in Gallery 1.3.1, 1.3.2, 1.3.3, 1.4 and 1.4.1 which can a remote
exploit of your webserver.

Background
==========

Gallery is an open source image management system written in PHP. More
information is available at http://gallery.sourceforge.net.

Description
===========

Starting in the 1.3.1 release, Gallery includes code to simulate the
behaviour of the PHP 'register_globals' variable in environments where
that setting is disabled.  It is simulated by extracting the values of
the various $HTTP_ global variables into the global namespace.

Impact
======

A crafted URL such as
http://example.com/gallery/init.php?HTTP_POST_VARS=xxx causes the
'register_globals' simulation code to overwrite the $HTTP_POST_VARS
which, when it is extracted, will deliver the given payload. If the
payload compromises $GALLERY_BASEDIR then the malicious user can perform
a PHP injection exploit and gain remote access to the webserver with PHP
user UID access rights.

Workaround
==========

The workaround for the vulnerability is to replace "init.php" and
"setup/init.php" with the files in the following ZIP file:
http://prdownloads.sourceforge.net/gallery/patch_1.4.1-to-1.4.1-pl1.zip?download

Resolution
==========

All users are encouraged to upgrade their gallery installation:

~    # emerge sync
~    # emerge -p ">=app-misc/gallery-1.4.1_p1"
~    # emerge ">=app-misc/gallery-1.4.1_p1"

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security () gentoo org or alternatively, you may file a bug at
http://bugs.gentoo.org.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFAKpzqMMXbAy2b2EIRAut+AJ9YoJa90874PYeNjs6z2Kv0Rho9/gCg71wT
I8LE+RBEJjdVIC04nz9dKh0=
=+v3e
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: