1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
5 |
Gentoo Linux Security Advisory GLSA 200402-04 |
6 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
7 |
~ http://security.gentoo.org |
8 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
9 |
|
10 |
~ Severity: Normal |
11 |
~ Title: Gallery <= 1.4.1 remote exploit vulnerability |
12 |
~ Date: February 11, 2004 |
13 |
~ Bugs: #39638 |
14 |
~ ID: 200402-04 |
15 |
|
16 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
17 |
|
18 |
Synopsis |
19 |
======== |
20 |
|
21 |
The Gallery developers have discovered a potentially serious security |
22 |
flaw in Gallery 1.3.1, 1.3.2, 1.3.3, 1.4 and 1.4.1 which can a remote |
23 |
exploit of your webserver. |
24 |
|
25 |
Background |
26 |
========== |
27 |
|
28 |
Gallery is an open source image management system written in PHP. More |
29 |
information is available at http://gallery.sourceforge.net. |
30 |
|
31 |
Description |
32 |
=========== |
33 |
|
34 |
Starting in the 1.3.1 release, Gallery includes code to simulate the |
35 |
behaviour of the PHP 'register_globals' variable in environments where |
36 |
that setting is disabled. It is simulated by extracting the values of |
37 |
the various $HTTP_ global variables into the global namespace. |
38 |
|
39 |
Impact |
40 |
====== |
41 |
|
42 |
A crafted URL such as |
43 |
http://example.com/gallery/init.php?HTTP_POST_VARS=xxx causes the |
44 |
'register_globals' simulation code to overwrite the $HTTP_POST_VARS |
45 |
which, when it is extracted, will deliver the given payload. If the |
46 |
payload compromises $GALLERY_BASEDIR then the malicious user can perform |
47 |
a PHP injection exploit and gain remote access to the webserver with PHP |
48 |
user UID access rights. |
49 |
|
50 |
Workaround |
51 |
========== |
52 |
|
53 |
The workaround for the vulnerability is to replace "init.php" and |
54 |
"setup/init.php" with the files in the following ZIP file: |
55 |
http://prdownloads.sourceforge.net/gallery/patch_1.4.1-to-1.4.1-pl1.zip?download |
56 |
|
57 |
Resolution |
58 |
========== |
59 |
|
60 |
All users are encouraged to upgrade their gallery installation: |
61 |
|
62 |
~ # emerge sync |
63 |
~ # emerge -p ">=app-misc/gallery-1.4.1_p1" |
64 |
~ # emerge ">=app-misc/gallery-1.4.1_p1" |
65 |
|
66 |
Concerns? |
67 |
========= |
68 |
|
69 |
Security is a primary focus of Gentoo Linux and ensuring the |
70 |
confidentiality and security of our users machines is of utmost |
71 |
importance to us. Any security concerns should be addressed to |
72 |
security@g.o or alternatively, you may file a bug at |
73 |
http://bugs.gentoo.org. |
74 |
|
75 |
-----BEGIN PGP SIGNATURE----- |
76 |
Version: GnuPG v1.2.1 (GNU/Linux) |
77 |
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org |
78 |
|
79 |
iD8DBQFAKpzqMMXbAy2b2EIRAut+AJ9YoJa90874PYeNjs6z2Kv0Rho9/gCg71wT |
80 |
I8LE+RBEJjdVIC04nz9dKh0= |
81 |
=+v3e |
82 |
-----END PGP SIGNATURE----- |