Security hole in Gallery v1.3.2 (fix included)
Submitted by bharat on Sat, 2002-12-28 07:02
We have discovered (thanks to Michael Graff!) a security hole in Gallery 1.3.2 that can lead to a potential remote exploit of your web server by a malicious user. This hole has been patched in version 1.3.3 which will be available for download by midnight 12/27/2002 PST. If you are using the official Gallery 1.3.2 release, or a CVS release between Gallery 1.3.2 build 27 to Gallery 1.3.3 build 5 (inclusive), then we STRONGLY recommend that you upgrade to Gallery 1.3.3 or apply the security patch detailed below.Gallery does some tricks in order to allow it to be smoothly integrated into CMS environments like PostNuke. Unfortunately, the approach that we're using runs the risk that we'll open the door for some potentially serious security issues. We take these security risks very seriously and address them as soon as possible once notified.
The security flaw in version 1.3.2 lies in the "Windows XP Publishing" feature that we recently introduced. In short, we use a variable without properly checking to make sure that it doesn't contain any malicious data. If you are unable to upgrade to version 1.3.3 right away we suggest that you take one of the following two steps:
or
appears after this block:
This will close the security hole.
regards,
Bharat
The security flaw in version 1.3.2 lies in the "Windows XP Publishing" feature that we recently introduced. In short, we use a variable without properly checking to make sure that it doesn't contain any malicious data. If you are unable to upgrade to version 1.3.3 right away we suggest that you take one of the following two steps:
Delete the publish_xp_docs.php file. This will cause your "Windows XP Publishing" feature to cease to function fully (but it'll be restored when you upgrade).
or
Edit your publish_xp_docs.php and near the top of the file, modify the code so that this line:
appears after this block:
// Hack prevention.
if (!empty($HTTP_GET_VARS["GALLERY_BASEDIR"]) ||
!empty($HTTP_POST_VARS["GALLERY_BASEDIR"]) ||
!empty($HTTP_COOKIE_VARS["GALLERY_BASEDIR"])) {
print "Security violation\n";
exit;
}
?>
This will close the security hole.
regards,
Bharat