From: "Peter Stöckli" <pcs@rootquest.com> ... > -Proof of concept- > It is possible to include any php file from a remote host, and execute > it on the target's server. Thanks for the alert. It's disappointing that you made absolutely no effort to contact us before announcing this vulnerability. Even 12 hours would have let us have a release ready in time for your announcement and you still would have gotten the credit. This vulnerability affects a small percentage of Unix gallery users, as it can only be exploited when Gallery is in the non-functional "configuration mode". However, it does expose Windows users to the exploit. Only the following versions of Gallery have the bug: * 1.4 * 1.4-pl1 * 1.4.1 (unreleased; prior to build 145) The problem has been fixed in: * 1.4-pl2 http://sf.net/project/showfiles.php?group_id=7130&release_id=184028 * 1.4.1 (unreleased; build 145) We strongly recommend that you upgrade to 1.4-pl2 immediately. However, if you don't want to install the entire 1.4-pl2 update, there are two simple approches you can take to secure your system: 1. Delete gallery/setup/index.php This will also disable the configuration wizard for you until you restore this file or upgrade to a secure release. --or-- 2. Open gallery/setup/index.php in a text editor and change the following lines: if (!isset($GALLERY_BASEDIR)) { $GALLERY_BASEDIR = '../'; } to this: $GALLERY_BASEDIR = '../'; Note that all we are doing is deleting two lines of code. regards, Bharat Mediratta Gallery Development Team
