[28829] in bugtraq
Gallery 1.3.3
daemon@ATHENA.MIT.EDU (error)
Mon Feb 10 09:34:33 2003
From: error <error@lostinthenoise.net>
To: bugtraq@securityfocus.com
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-tiOkxL0KH/8VjLTce2JT"
Message-Id: <1044837096.32678.50.camel@eris>
Mime-Version: 1.0
Date: 09 Feb 2003 16:31:37 -0800
--=-tiOkxL0KH/8VjLTce2JT
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
Vulnerable: gallery version 1.3.3 (other versions not tested)
Url: gallery.sf.net
Local exploit.
Gallery has a security hole where any other user on the same webserver
can create, modify or destroy photos in a given album directory.
Also Gallery requires that you turn off safe mode.
Each gallery setup needs a temp directory and an album directory.
Gallery accesses the album directory in a manner that requires
permissions of 755.
eg:
drwxr-xr-x 5 www wheel 512 Feb 9 16:02 albums
and inside albums:=20
ls -l
total 16
drwxrwxr-x 2 www wheel 3584 Feb 9 16:19 album01
drwxrwxr-x 2 www wheel 5120 Feb 9 16:25 album02
-rw-r--r-- 1 www wheel 65 Feb 9 16:02 albumdb.dat
-rw-r--r-- 1 www wheel 65 Feb 9 16:02 albumdb.dat.bak
-rw-r--r-- 1 www wheel 0 Feb 9 14:05 albumdb.dat.lock
-rw-r--r-- 1 www wheel 11 Feb 9 15:42 serial.dat
As a result anyone who has ever set up a gallery before can just have a
cgi running as user www (or whatever user apache is running as) move
files around.
This can be exploited with everything from SSI, perl to even php.
So on shared hosting gallery is a bad idea.
There is no fix for this as of this time.
This is a product of poor default web application security design.
--=20
error <error@lostinthenoise.net>
--=-tiOkxL0KH/8VjLTce2JT
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQA+RvLoKvrsP0edi7gRAn8hAKCXO05yIWkW73h/lXElWPYmfWdZLACgwRAC
lJ1JIlMYqEOI9NitvZNJb7M=
=FBH/
-----END PGP SIGNATURE-----
--=-tiOkxL0KH/8VjLTce2JT--
