Gallery Input Validation Bug in Processing Internal Cache Files Lets Remote Users Traverse the Directory

2005.10.16
Risk: Medium
Local: No
Remote: Yes
CWE: N/A


CVSS Base Score: 6.4/10
Impact Subscore: 4.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: None

Vendor information: Gallery is an open source web based photo album organizer. The 2.x is a newly released complete rewrite of the application. Url: http://gallery.menalto.com Contact: gallery@menalto.com Vulnerability class: Input sanitization Details: Michael Dipper has discovered an input sanitization issue that allows users to specially craft a url to access any file on the server that is accessible by the webserver. The vulnerability may be used by any visitor to the Gallery, no user login is required. Exploit: The vulnerability may be exploited by accessing a URL like this: http://example.com/gallery2/main.php ?g2_itemId=/../../../../../../../etc/aliases%00 Internally the Gallery caching code uses this variable to construct a relative filename to a cache file. Using ../.. elements in the path allow you to escape the Gallery directory and view files that are not regularly available via the webserver. Solution: The Gallery team has released Gallery 2.0.1 which resolves this security issue by validating the input variable, modifying the caching code to prevent it from generating paths with '..' in them, and modifying the choke point on included files to prevent it from loading files that contain '..' in them. Download 2.0.1 (including patch files from 2.0) from here: http://codex.gallery2.org/Gallery2:Download A big thanks to Michael Dipper for bringing this to our attention and providing us with lead time to make a patch available before fully disclosing it. Vulnerable: Gallery 2.0 Gallery 2.0 Beta 3 Gallery 2.0 Beta 2 Gallery 2.0 Beta 1 Gallery 2.0 Alpha 4 Gallery 2.0 Alpha 3 Gallery 2.0 Alpha 2 Gallery 2.0 Alpha 1 CVS HEAD before 2005-10-13 Not Vulnerable: Gallery 1.x Gallery Remote (all versions) Credit: Michael Dipper http://dipper.info/ History: 20051012 - Initial discovery and reporting (Michael Dipper, micha-at-dipper.info ) 20051013 - Vendor fix released


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top