| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA1 |
| 3 |
|
| 4 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
| 5 |
Gentoo Linux Security Advisory GLSA 200402-04 |
| 6 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
| 7 |
~ http://security.gentoo.org |
| 8 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
| 9 |
|
| 10 |
~ Severity: Normal |
| 11 |
~ Title: Gallery <= 1.4.1 remote exploit vulnerability |
| 12 |
~ Date: February 11, 2004 |
| 13 |
~ Bugs: #39638 |
| 14 |
~ ID: 200402-04 |
| 15 |
|
| 16 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
| 17 |
|
| 18 |
Synopsis |
| 19 |
======== |
| 20 |
|
| 21 |
The Gallery developers have discovered a potentially serious security |
| 22 |
flaw in Gallery 1.3.1, 1.3.2, 1.3.3, 1.4 and 1.4.1 which can a remote |
| 23 |
exploit of your webserver. |
| 24 |
|
| 25 |
Background |
| 26 |
========== |
| 27 |
|
| 28 |
Gallery is an open source image management system written in PHP. More |
| 29 |
information is available at http://gallery.sourceforge.net. |
| 30 |
|
| 31 |
Description |
| 32 |
=========== |
| 33 |
|
| 34 |
Starting in the 1.3.1 release, Gallery includes code to simulate the |
| 35 |
behaviour of the PHP 'register_globals' variable in environments where |
| 36 |
that setting is disabled. It is simulated by extracting the values of |
| 37 |
the various $HTTP_ global variables into the global namespace. |
| 38 |
|
| 39 |
Impact |
| 40 |
====== |
| 41 |
|
| 42 |
A crafted URL such as |
| 43 |
http://example.com/gallery/init.php?HTTP_POST_VARS=xxx causes the |
| 44 |
'register_globals' simulation code to overwrite the $HTTP_POST_VARS |
| 45 |
which, when it is extracted, will deliver the given payload. If the |
| 46 |
payload compromises $GALLERY_BASEDIR then the malicious user can perform |
| 47 |
a PHP injection exploit and gain remote access to the webserver with PHP |
| 48 |
user UID access rights. |
| 49 |
|
| 50 |
Workaround |
| 51 |
========== |
| 52 |
|
| 53 |
The workaround for the vulnerability is to replace "init.php" and |
| 54 |
"setup/init.php" with the files in the following ZIP file: |
| 55 |
http://prdownloads.sourceforge.net/gallery/patch_1.4.1-to-1.4.1-pl1.zip?download |
| 56 |
|
| 57 |
Resolution |
| 58 |
========== |
| 59 |
|
| 60 |
All users are encouraged to upgrade their gallery installation: |
| 61 |
|
| 62 |
~ # emerge sync |
| 63 |
~ # emerge -p ">=app-misc/gallery-1.4.1_p1" |
| 64 |
~ # emerge ">=app-misc/gallery-1.4.1_p1" |
| 65 |
|
| 66 |
Concerns? |
| 67 |
========= |
| 68 |
|
| 69 |
Security is a primary focus of Gentoo Linux and ensuring the |
| 70 |
confidentiality and security of our users machines is of utmost |
| 71 |
importance to us. Any security concerns should be addressed to |
| 72 |
security@g.o or alternatively, you may file a bug at |
| 73 |
http://bugs.gentoo.org. |
| 74 |
|
| 75 |
-----BEGIN PGP SIGNATURE----- |
| 76 |
Version: GnuPG v1.2.1 (GNU/Linux) |
| 77 |
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org |
| 78 |
|
| 79 |
iD8DBQFAKpzqMMXbAy2b2EIRAut+AJ9YoJa90874PYeNjs6z2Kv0Rho9/gCg71wT |
| 80 |
I8LE+RBEJjdVIC04nz9dKh0= |
| 81 |
=+v3e |
| 82 |
-----END PGP SIGNATURE----- |
Archives