(Big thanks to Fred [vrotogel] for discovering this vulnerability and alerting us before posting ) ___________________ PROBLEM DESCRIPTION Gallery is an open source image management system written in PHP. Learn more about it at http://gallery.sourceforge.net Starting in release 1.3.1, Gallery includes code to simulate the behaviour of register_globals in environments where that setting is disabled. We do this by extracting the values of the various $HTTP_ global variables into the global namespace. We check for the presence of certain types of malicious data before doing this, but our checks are inadequate. A clever hacker can circumvent our checks by crafting a URL like this: http://example.com/gallery/init.php?HTTP_POST_VARS=xxx this causes our register_global simulation code to overwrite the HTTP_POST_VARS which, when it in turn is extracted will deliver the payload. If the payload compromises $GALLERY_BASEDIR then the malicious user can perform a PHP injection exploit and gain remote access to your box as the webserver/PHP user id. _________________ VERSIONS AFFECTED This vulnerability affects Gallery releases 1.3.1, 1.3.2, 1.3.3, 1.4 and 1.4.1. It has been fixed in Gallery v1.4.1-pl1, v1.4.2 (not yet released) and in the CVS HEAD. We strongly recommend that all users upgrade to Gallery v1.4.1-pl1 ASAP. __________________ FIXING THE PROBLEM There are three different ways you can resolve this problem. 1. Replace init.php and setup/init.php with the files from this zip: http://prdownloads.sourceforge.net/gallery/patch_1.4.1-to-1.4.1-pl1.zip?download -or- 2. Upgrade to Gallery 1.4.1-pl1: http://sourceforge.net/project/showfiles.php?group_id=7130&package_id=7239&release_id=212324 -or- 3. Follow the instructions in this news article: http://gallery.sourceforge.net/article.php?sid=107 to manually patch the two affected files. (won't take more than a couple of minutes). regards, Bharat Mediratta Gallery developer
