[gentoo-announce] [ GLSA 200409-05 ] Gallery: Arbitrary command execution - gentoo-announce

From:	Sune Kloppenborg Jeppesen <jaervosz@g.o>
To:	gentoo-announce@l.g.o
Cc:	bugtraq@×××××××××××××.com, full-disclosure@××××××××××××.com, security-alerts@×××××××××××××.com
Subject:	[gentoo-announce] [ GLSA 200409-05 ] Gallery: Arbitrary command execution
Date:	Thu, 02 Sep 2004 20:53:16
Message-Id:	`200409022236.21742.jaervosz@gentoo.org`

1

-----BEGIN PGP SIGNED MESSAGE-----

2

Hash: SHA1

3

4

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

5

Gentoo Linux Security Advisory                           GLSA 200409-05

6

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

7

                                            http://security.gentoo.org/

8

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

9

10

  Severity: Normal

11

     Title: Gallery: Arbitrary command execution

12

      Date: September 02, 2004

13

      Bugs: #60742

14

        ID: 200409-05

15

16

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

17

18

Synopsis

19

========

20

21

The Gallery image upload code contains a temporary file handling

22

vulnerability which could lead to execution of arbitrary commands.

23

24

Background

25

==========

26

27

Gallery is a PHP script for maintaining online photo albums.

28

29

Affected packages

30

=================

31

32

    -------------------------------------------------------------------

33

     Package           /  Vulnerable  /                     Unaffected

34

    -------------------------------------------------------------------

35

  1  www-apps/gallery     < 1.4.4_p2                       >= 1.4.4_p2

36

37

Description

38

===========

39

40

The upload handling code in Gallery places uploaded files in a

41

temporary directory. After 30 seconds, these files are deleted if they

42

are not valid images. However, since the file exists for 30 seconds, a

43

carefully crafted script could be initiated by the remote attacker

44

during this 30 second timeout. Note that the temporary directory has to

45

be located inside the webroot and an attacker needs to have upload

46

rights either as an authenticated user or via "EVERYBODY".

47

48

Impact

49

======

50

51

An attacker could run arbitrary code as the user running PHP.

52

53

Workaround

54

==========

55

56

There are several workarounds to this vulnerability:

57

58

* Make sure that your temporary directory is not contained in the

59

  webroot; by default it is located outside the webroot.

60

61

* Disable upload rights to all albums for "EVERYBODY"; upload is

62

  disabled by default.

63

64

* Disable debug and dev mode; these settings are disabled by default.

65

66

* Disable allow_url_fopen in php.ini.

67

68

Resolution

69

==========

70

71

All Gallery users should upgrade to the latest version:

72

73

    # emerge sync

74

75

    # emerge -pv ">=www-apps/gallery-1.4.4_p2"

76

    # emerge ">=www-apps/gallery-1.4.4_p2"

77

78

References

79

==========

80

81

  [ 1 ] Full Disclosure Announcement

82

        http://archives.neohapsis.com/archives/fulldisclosure/2004-08/0757.html

83

  [ 2 ] Gallery Announcement

84

        http://gallery.menalto.com/modules.php?op=modload&name=News&file=article&sid=134&mode=thread&order=0&thold=0

85

86

Availability

87

============

88

89

This GLSA and any updates to it are available for viewing at

90

the Gentoo Security Website:

91

92

  http://security.gentoo.org/glsa/glsa-200409-05.xml

93

94

Concerns?

95

=========

96

97

Security is a primary focus of Gentoo Linux and ensuring the

98

confidentiality and security of our users machines is of utmost

99

importance to us. Any security concerns should be addressed to

100

security@g.o or alternatively, you may file a bug at

101

http://bugs.gentoo.org.

102

103

License

104

=======

105

106

Copyright 2004 Gentoo Foundation, Inc; referenced text

107

belongs to its owner(s).

108

109

The contents of this document are licensed under the

110

Creative Commons - Attribution / Share Alike license.

111

112

http://creativecommons.org/licenses/by-sa/1.0

113

-----BEGIN PGP SIGNATURE-----

114

Version: GnuPG v1.2.4 (GNU/Linux)

115

116

iD8DBQFBN4QuzKC5hMHO6rkRAvjRAJ9ew8O+G6tQ/+wifIJkqYadFCU0cgCeK75X

117

9F2kemN3tO5SBNb80LQkLjc=

118

=KCrK

119

-----END PGP SIGNATURE-----

1	-----BEGIN PGP SIGNED MESSAGE-----
2	Hash: SHA1
3
4	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
5	Gentoo Linux Security Advisory GLSA 200409-05
6	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
7	http://security.gentoo.org/
8	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
9
10	Severity: Normal
11	Title: Gallery: Arbitrary command execution
12	Date: September 02, 2004
13	Bugs: #60742
14	ID: 200409-05
15
16	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
17
18	Synopsis
19	========
20
21	The Gallery image upload code contains a temporary file handling
22	vulnerability which could lead to execution of arbitrary commands.
23
24	Background
25	==========
26
27	Gallery is a PHP script for maintaining online photo albums.
28
29	Affected packages
30	=================
31
32	-------------------------------------------------------------------
33	Package / Vulnerable / Unaffected
34	-------------------------------------------------------------------
35	1 www-apps/gallery < 1.4.4_p2 >= 1.4.4_p2
36
37	Description
38	===========
39
40	The upload handling code in Gallery places uploaded files in a
41	temporary directory. After 30 seconds, these files are deleted if they
42	are not valid images. However, since the file exists for 30 seconds, a
43	carefully crafted script could be initiated by the remote attacker
44	during this 30 second timeout. Note that the temporary directory has to
45	be located inside the webroot and an attacker needs to have upload
46	rights either as an authenticated user or via "EVERYBODY".
47
48	Impact
49	======
50
51	An attacker could run arbitrary code as the user running PHP.
52
53	Workaround
54	==========
55
56	There are several workarounds to this vulnerability:
57
58	* Make sure that your temporary directory is not contained in the
59	webroot; by default it is located outside the webroot.
60
61	* Disable upload rights to all albums for "EVERYBODY"; upload is
62	disabled by default.
63
64	* Disable debug and dev mode; these settings are disabled by default.
65
66	* Disable allow_url_fopen in php.ini.
67
68	Resolution
69	==========
70
71	All Gallery users should upgrade to the latest version:
72
73	# emerge sync
74
75	# emerge -pv ">=www-apps/gallery-1.4.4_p2"
76	# emerge ">=www-apps/gallery-1.4.4_p2"
77
78	References
79	==========
80
81	[ 1 ] Full Disclosure Announcement
82	http://archives.neohapsis.com/archives/fulldisclosure/2004-08/0757.html
83	[ 2 ] Gallery Announcement
84	http://gallery.menalto.com/modules.php?op=modload&name=News&file=article&sid=134&mode=thread&order=0&thold=0
85
86	Availability
87	============
88
89	This GLSA and any updates to it are available for viewing at
90	the Gentoo Security Website:
91
92	http://security.gentoo.org/glsa/glsa-200409-05.xml
93
94	Concerns?
95	=========
96
97	Security is a primary focus of Gentoo Linux and ensuring the
98	confidentiality and security of our users machines is of utmost
99	importance to us. Any security concerns should be addressed to
100	security@g.o or alternatively, you may file a bug at
101	http://bugs.gentoo.org.
102
103	License
104	=======
105
106	Copyright 2004 Gentoo Foundation, Inc; referenced text
107	belongs to its owner(s).
108
109	The contents of this document are licensed under the
110	Creative Commons - Attribution / Share Alike license.
111
112	http://creativecommons.org/licenses/by-sa/1.0
113	-----BEGIN PGP SIGNATURE-----
114	Version: GnuPG v1.2.4 (GNU/Linux)
115
116	iD8DBQFBN4QuzKC5hMHO6rkRAvjRAJ9ew8O+G6tQ/+wifIJkqYadFCU0cgCeK75X
117	9F2kemN3tO5SBNb80LQkLjc=
118	=KCrK
119	-----END PGP SIGNATURE-----

Gentoo Archives: gentoo-announce