GLSA-200409-05 : Gallery: Arbitrary command execution

high Nessus Plugin ID 14652

Synopsis

The remote Gentoo host is missing one or more security-related patches.

Description

The remote host is affected by the vulnerability described in GLSA-200409-05 (Gallery: Arbitrary command execution)

The upload handling code in Gallery places uploaded files in a temporary directory. After 30 seconds, these files are deleted if they are not valid images. However, since the file exists for 30 seconds, a carefully crafted script could be initiated by the remote attacker during this 30 second timeout. Note that the temporary directory has to be located inside the webroot and an attacker needs to have upload rights either as an authenticated user or via 'EVERYBODY'.
Impact :

An attacker could run arbitrary code as the user running PHP.
Workaround :

There are several workarounds to this vulnerability:
Make sure that your temporary directory is not contained in the webroot; by default it is located outside the webroot.
Disable upload rights to all albums for 'EVERYBODY'; upload is disabled by default.
Disable debug and dev mode; these settings are disabled by default.
Disable allow_url_fopen in php.ini.

Solution

All Gallery users should upgrade to the latest version:
# emerge sync # emerge -pv '>=www-apps/gallery-1.4.4_p2' # emerge '>=www-apps/gallery-1.4.4_p2'

See Also

http://www.nessus.org/u?e29ea6a8

http://www.nessus.org/u?864e87f5

https://security.gentoo.org/glsa/200409-05

Plugin Details

Severity: High

ID: 14652

File Name: gentoo_GLSA-200409-05.nasl

Version: 1.20

Type: local

Published: 9/3/2004

Updated: 1/6/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.6

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:gentoo:linux:gallery, cpe:/o:gentoo:linux

Required KB Items: Host/local_checks_enabled, Host/Gentoo/release, Host/Gentoo/qpkg-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 9/2/2004

Reference Information

CVE: CVE-2004-1466

GLSA: 200409-05