___________________ PROBLEM DESCRIPTION Gallery is an open source image management system. Learn more about it at http://gallery.sourceforge.net Gallery v1.3.2 introduced a new feature that allows users to publish images to their website-based Gallery using the Windows XP Publishing subsystem. This feature introduced a bug that can allow a malicious user to craft a URL such that they can get remote access to web server, as the user running the web server. Many thanks to Michael Graff for noticing this hole and bringing it to the attention of the Gallery dev team. It's nice to see folks doing the right thing with dangerous information. _________________ VERSIONS AFFECTED The only affected official release is Gallery 1.3.2. However, for those of you tracking Gallery in CVS, this hole was introduced in Gallery 1.3.2-cvs-b27 and was closed in Gallery 1.3.3-cvs-b6. _____ PATCH The fix to this problem is very simple. Pursue one of the following three options: 1. Upgrade to v1.3.3, available now on the Gallery website: http://gallery.sourceforge.net/download.php -- or -- 2. Edit your publish_xp_docs.php and near the top of the file, modify the code so that this line: <?php require($GALLERY_BASEDIR . "init.php"); ?> appears after this block: <?php // Hack prevention. if (!empty($HTTP_GET_VARS["GALLERY_BASEDIR"]) || !empty($HTTP_POST_VARS["GALLERY_BASEDIR"]) || !empty($HTTP_COOKIE_VARS["GALLERY_BASEDIR"])) { print "Security violation\n"; exit; } ?> -- or -- 3. Delete publish_xp_docs.php. This will secure your system but will also disable the Windows XP Publishing feature. regards, Bharat Mediratta Gallery developer
This archive was generated by hypermail 2b30 : Sat Dec 28 2002 - 12:27:30 PST