Bug: Gallery Input Validation Bug in Processing Internal Cache Files Lets Remote Users Traverse the Directory (WLB-2005100044 Ascii Version)

English Version
WLB2

CVE WLB2

WLB2
Full List
Bugs
Bogus
Tricks
Exploits
CVE MAP
Full List
Vendors
Products
Tools
CWE Dictionary
Google Hacking
Search
General
CVE
CWE
RSS
Full List
Bugs
Exploits
Dorks
Information
Our services
Add note
About
Submit

To add a note,

use this form

or send email to

submit@cxsecurity.com

When contacting via email, we recommend coded messages.

Get our PGP public key

 Topic: Gallery Input Validation Bug in Processing Internal Cache Files Lets Remote Users Traverse the Directory
 Credit: Michael Dipper
 Date: 2005.10.16
 CWE: N/A
 CVE: CVE-2005-3251 (Show details)

Use CVE to see details like:
- CVSS2,
- Affected Software,
- References

Risk
Local
Remote
Medium
No
Yes

Vendor information:

Gallery is an open source web based photo album organizer. The
2.x is a newly released complete rewrite of the application.

Url: http://gallery.menalto.com
Contact: gallery@menalto.com

Vulnerability class:

Input sanitization

Details:

Michael Dipper has discovered an input sanitization issue that
allows users to specially craft a url to access any file on the
server that is accessible by the webserver. The vulnerability
may be used by any visitor to the Gallery, no user login is
required.

Exploit:

The vulnerability may be exploited by accessing a URL like this:

http://example.com/gallery2/main.php
?g2_itemId=/../../../../../../../etc/aliases%00

Internally the Gallery caching code uses this variable to
construct a relative filename to a cache file. Using ../..
elements in the path allow you to escape the Gallery directory
and view files that are not regularly available via the webserver.

Solution:

The Gallery team has released Gallery 2.0.1 which resolves this
security issue by validating the input variable, modifying the
caching code to prevent it from generating paths with '..' in
them, and modifying the choke point on included files to prevent
it from loading files that contain '..' in them.

Download 2.0.1 (including patch files from 2.0) from here:
http://codex.gallery2.org/Gallery2:Download

A big thanks to Michael Dipper for bringing this to our attention
and providing us with lead time to make a patch available before
fully disclosing it.

Vulnerable:
Gallery 2.0
Gallery 2.0 Beta 3
Gallery 2.0 Beta 2
Gallery 2.0 Beta 1
Gallery 2.0 Alpha 4
Gallery 2.0 Alpha 3
Gallery 2.0 Alpha 2
Gallery 2.0 Alpha 1
CVS HEAD before 2005-10-13

Not Vulnerable:
Gallery 1.x
Gallery Remote (all versions)

Credit:
Michael Dipper
http://dipper.info/

History:
20051012 - Initial discovery and reporting
(Michael Dipper, micha-at-dipper.info )
20051013 - Vendor fix released

[ ASCII VERSION ]
Copyright 2012, cxsecurity.com