[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Gallery 1.4.4 save_photos.php PHP Insertion Proof of Concept

To: full-disclosure@xxxxxxxxxxxxxxxx
Subject: Re: [Full-Disclosure] Gallery 1.4.4 save_photos.php PHP Insertion Proof of Concept
From: Chris Kelly <ckdake@xxxxxxxxx>
Date: Fri, 20 Aug 2004 23:56:42 -0400

#!/usr/bin/php
        Gallery 1.4.4 save_photos.php PHP Insertion Proof of Concept
        By aCiDBiTS          acidbits@xxxxxxxxxxx          17-August-2004
++  Vulnerability description  ++
Gallery (http://gallery.sf.net/) is a PHP image gallery script. Having permission to upload photos in some album and the temporal directory is in the webtree, then it is possible to create a file with any extension and content. Tested in v 1.4.4, maybe older versions also vulnerable.

When uploading photos with the "URL method", they are saved in the temporal directory before processing them. Any file with any content is accepted. After downloading, the file is processed (discarded if it is not an image) and deleted from the temporal directory.

When the script downloads the file to the temporal directory there's the function set_time_limit() that by default waits 30 seconds to abort the process if no more data is recieved and the transfer connection isn't closed. If the temporal directory is in the webtree, during this 30 seconds timeout we can access to the file, executing it.

There's also a "directory disclosure" that I've used to determine if the temporal directory is in gallery's webtree. It consists in sending a longer filename than permited by the filesystem for the image upload name.

We are disappointed that you made no effort to get in touch with us about this issue before announcing it on full-disclosure, which prevented us from having a fix ready at the same time. A fix has been made and both an update patch (1.4.4-sr1) and full release (1.4.4-pl1, which also fixes some other minor non-security related bugs) are available for download as of 11:00pm EST August 20th 2004.

download information:
http://sourceforge.net/project/showfiles.php?group_id=7130

release information:
http://gallery.sourceforge.net/article.php?sid=134

-Chris Kelly
Gallery Project Manager

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- Re: Re: [Full-Disclosure] Gallery 1.4.4 save_photos.php PHP Insertion Proof of Concept
  - From: da m0nk3y

Prev by Date: Re: [Full-Disclosure] Electronic Voting Machines - WinVote by Adv anced Voting Solutions
Next by Date: RE: [Full-Disclosure] The 'good worm' from HP
Previous by thread: [Full-Disclosure] Gallery 1.4.4 save_photos.php PHP Insertion Proof of Concept
Next by thread: Re: Re: [Full-Disclosure] Gallery 1.4.4 save_photos.php PHP Insertion Proof of Concept
Index(es):
- Date
- Thread