Gallery-2.0.1.txt

Gallery-2.0.1.txt: Posted Oct 21, 2005; Authored by Michael Dipper | Site dipper.info; Gallery versions prior to 2.0.1 are vulnerable to a directory transversal bug which allows any visitor to access any file on the server that is accessible by the webserver.; tags | advisory; SHA-256 | 86f8258f02cc1291ee2f9685881b7c8451a0ccea1cebd712fb10916e53f62417; Download | Favorite | View

Gallery-2.0.1.txt


Vendor information:

    Gallery is an open source web based photo album organizer.  The
    2.x is a newly released complete rewrite of the application.

    Url: http://gallery.menalto.com
    Contact: gallery@menalto.com

Vulnerability class:

    Input sanitization

Details:

    Michael Dipper has discovered an input sanitization issue that
    allows users to specially craft a url to access any file on the
    server that is accessible by the webserver.  The vulnerability
    may be used by any visitor to the Gallery, no user login is
    required.

Exploit:

    The vulnerability may be exploited by accessing a URL like this:

      http://example.com/gallery2/main.php
         ?g2_itemId=/../../../../../../../etc/aliases%00

    Internally the Gallery caching code uses this variable to
    construct a relative filename to a cache file.  Using ../..
    elements in the path allow you to escape the Gallery directory
    and view files that are not regularly available via the webserver.

Solution:

    The Gallery team has released Gallery 2.0.1 which resolves this
    security issue by validating the input variable, modifying the
    caching code to prevent it from generating paths with '..' in
    them, and modifying the choke point on included files to prevent
    it from loading files that contain '..' in them.

    Download 2.0.1 (including patch files from 2.0) from here:
      http://codex.gallery2.org/Gallery2:Download

    A big thanks to Michael Dipper for bringing this to our attention
    and providing us with lead time to make a patch available before
    fully disclosing it.

Vulnerable:
    Gallery 2.0
    Gallery 2.0 Beta 3
    Gallery 2.0 Beta 2
    Gallery 2.0 Beta 1
    Gallery 2.0 Alpha 4
    Gallery 2.0 Alpha 3
    Gallery 2.0 Alpha 2
    Gallery 2.0 Alpha 1
    CVS HEAD before 2005-10-13

Not Vulnerable:
    Gallery 1.x
    Gallery Remote (all versions)

Credit:
    Michael Dipper
    http://dipper.info/

History:
   20051012 - Initial discovery and reporting
              (Michael Dipper, micha-at-dipper.info )
   20051013 - Vendor fix released

Top Authors In Last 30 Days

Red Hat 227 files
indoushka 150 files
Jay Turla 150 files
Ubuntu 64 files
h00die 54 files
juan vazquez 43 files
sinn3r 41 files
H D Moore 31 files
Karn Ganeshen 23 files
Pedro Ribeiro 22 files

File Archives

Systems

AIX (430)
Apple (2,104)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,119)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,567)
HPUX (881)
iOS (387)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,136)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,775)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,828)
UNIX (9,454)
UnixWare (188)
Windows (6,766)
Other

Gallery-2.0.1.txt

Gallery-2.0.1.txt

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Gallery-2.0.1.txt

Share This

Gallery-2.0.1.txt

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems