<<< Date Index >>>     <<< Thread Index >>>

Gallery 2.x Remote File Access Vulnerability




Vendor information:

   Gallery is an open source web based photo album organizer.  The
   2.x is a newly released complete rewrite of the application.

   Url: http://gallery.menalto.com
   Contact: gallery@xxxxxxxxxxx

Vulnerability class:

   Input sanitization

Details:

   Michael Dipper has discovered an input sanitization issue that
   allows users to specially craft a url to access any file on the
   server that is accessible by the webserver.  The vulnerability
   may be used by any visitor to the Gallery, no user login is
   required.

Exploit:

   The vulnerability may be exploited by accessing a URL like this:

     http://example.com/gallery2/main.php
        ?g2_itemId=/../../../../../../../etc/aliases%00

   Internally the Gallery caching code uses this variable to
   construct a relative filename to a cache file.  Using ../..
   elements in the path allow you to escape the Gallery directory
   and view files that are not regularly available via the webserver.

Solution:

   The Gallery team has released Gallery 2.0.1 which resolves this
   security issue by validating the input variable, modifying the
   caching code to prevent it from generating paths with '..' in
   them, and modifying the choke point on included files to prevent
   it from loading files that contain '..' in them.

   Download 2.0.1 (including patch files from 2.0) from here:
     http://codex.gallery2.org/Gallery2:Download

   A big thanks to Michael Dipper for bringing this to our attention
   and providing us with lead time to make a patch available before
   fully disclosing it.

Vulnerable:
   Gallery 2.0
   Gallery 2.0 Beta 3
   Gallery 2.0 Beta 2
   Gallery 2.0 Beta 1
   Gallery 2.0 Alpha 4
   Gallery 2.0 Alpha 3
   Gallery 2.0 Alpha 2
   Gallery 2.0 Alpha 1
   CVS HEAD before 2005-10-13

Not Vulnerable:
   Gallery 1.x
   Gallery Remote (all versions)

Credit:
   Michael Dipper
   http://dipper.info/

History:
  20051012 - Initial discovery and reporting
             (Michael Dipper, micha-at-dipper.info )
  20051013 - Vendor fix released