Gallery GallerySession.class 'sessionId' Variable File Deletion

2006-03-02T22:42:15
ID OSVDB:23597
Type osvdb
Reporter James Bercegay()
Modified 2006-03-02T22:42:15

Description

Vulnerability Description

Gallery contains a flaw that allows a remote attacker to delete files outside of the web path. The issue is due to the GallerySession.class not properly sanitizing user input, specifically directory traversal style attacks (../../) supplied via the sessionId variable(s).

Solution Description

Upgrade to version 2.0.3 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

Gallery contains a flaw that allows a remote attacker to delete files outside of the web path. The issue is due to the GallerySession.class not properly sanitizing user input, specifically directory traversal style attacks (../../) supplied via the sessionId variable(s).

References:

Vendor URL: http://gallery.sourceforge.net/ Vendor Specific News/Changelog Entry: http://gallery.menalto.com/gallery_2.0.3_released Security Tracker: 1015717 Secunia Advisory ID:19104 Related OSVDB ID: 23596 Other Advisory URL: http://www.gulftech.org/?node=research&article_id=00106-03022006 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-02/0621.html