Vulnerabilities > CVE-2004-1466 - Remote Server-Side Script Execution vulnerability in Gallery Project Gallery 1.4.4
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
The set_time_limit function in Gallery before 1.4.4_p2 deletes non-image files in a temporary directory every 30 seconds after they have been uploaded using save_photos.php, which allows remote attackers to upload and execute execute arbitrary scripts before they are deleted, if the temporary directory is under the web root.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Exploit-Db
| description | Gallery 1.4.4 Remote Server-Side Script Execution Vulnerability. CVE-2004-1466. Webapps exploit for php platform |
| id | EDB-ID:24383 |
| last seen | 2016-02-02 |
| modified | 2004-07-17 |
| published | 2004-07-17 |
| reporter | aCiDBiTS |
| source | https://www.exploit-db.com/download/24383/ |
| title | Gallery 1.4.4 - Remote Server-Side Script Execution Vulnerability |
Nessus
NASL family CGI abuses NASL id GALLERY_SCRIPT_EXEC.NASL description The version of Gallery hosted on the remote web server is affected by an arbitrary command execution vulnerability. This could allow an attacker to execute arbitrary commands on the remote host by uploading a file containing arbitrary PHP code. When the temp directory is web accessible, the attacker has a 30 second window to access the script and execute the remote code before the file is deleted. Note that in order to exploit this flaw, an attacker would require the privileges to upload files to a remote photo album. last seen 2020-06-01 modified 2020-06-02 plugin id 14338 published 2004-08-22 reporter This script is Copyright (C) 2004-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14338 title Gallery save_photos.php Arbitrary Command Execution code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(14338); script_version("1.22"); script_cvs_date("Date: 2018/11/15 20:50:17"); script_cve_id("CVE-2004-1466"); script_bugtraq_id(10968); script_name(english:"Gallery save_photos.php Arbitrary Command Execution"); script_summary(english:"Checks for the version of Gallery"); script_set_attribute( attribute:"synopsis", value: "The remote web server hosts a PHP application that is affected by a remote command execution vulnerability." ); script_set_attribute( attribute:"description", value: "The version of Gallery hosted on the remote web server is affected by an arbitrary command execution vulnerability. This could allow an attacker to execute arbitrary commands on the remote host by uploading a file containing arbitrary PHP code. When the temp directory is web accessible, the attacker has a 30 second window to access the script and execute the remote code before the file is deleted. Note that in order to exploit this flaw, an attacker would require the privileges to upload files to a remote photo album." ); script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2004/Aug/803"); script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2004/Aug/960"); script_set_attribute(attribute:"see_also", value:"http://galleryproject.org/node/134"); script_set_attribute(attribute:"solution", value:"Upgrade to Gallery 1.4.4-pl1 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:ND/RC:ND"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2004/08/19"); script_set_attribute(attribute:"patch_publication_date", value:"2004/08/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/08/22"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:gallery_project:gallery"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc."); script_dependencie("gallery_detect.nasl"); script_exclude_keys("Settings/disable_cgi_scanning"); script_require_keys("www/gallery", "www/PHP", "Settings/ParanoidReport"); script_require_ports("Services/www", 80); exit(0); } # # The script code starts here # include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("webapp_func.inc"); port = get_http_port(default:80, php:TRUE); install = get_install_from_kb( appname : "gallery", port : port, exit_on_fail : TRUE ); dir = install["dir"]; version = install["ver"]; install_url = build_url(port:port, qs:dir); if (version == UNKNOWN_VER) audit(AUDIT_UNKNOWN_WEB_APP_VER, "Gallery", install_url); if (report_paranoia < 2) audit(AUDIT_PARANOID); # Versions < 1.4.4-pl1 are affected if ( version =~ "^0\." || version =~ "^1\.([0-3]|4\.([0-3]|4|4-pl0))([^0-9]|$)" ) { if (report_verbosity > 0) { report = '\n URL : ' +install_url+ '\n Installed version : ' +version+ '\n Fixed version : 1.4.4-pl1\n'; security_hole(port:port, extra:report); } else security_hole(port); } else audit(AUDIT_WEB_APP_NOT_AFFECTED, "Gallery", install_url, version);NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200409-05.NASL description The remote host is affected by the vulnerability described in GLSA-200409-05 (Gallery: Arbitrary command execution) The upload handling code in Gallery places uploaded files in a temporary directory. After 30 seconds, these files are deleted if they are not valid images. However, since the file exists for 30 seconds, a carefully crafted script could be initiated by the remote attacker during this 30 second timeout. Note that the temporary directory has to be located inside the webroot and an attacker needs to have upload rights either as an authenticated user or via last seen 2020-06-01 modified 2020-06-02 plugin id 14652 published 2004-09-03 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/14652 title GLSA-200409-05 : Gallery: Arbitrary command execution code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200409-05. # # The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(14652); script_version("1.19"); script_cvs_date("Date: 2019/08/02 13:32:41"); script_cve_id("CVE-2004-1466"); script_xref(name:"GLSA", value:"200409-05"); script_name(english:"GLSA-200409-05 : Gallery: Arbitrary command execution"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200409-05 (Gallery: Arbitrary command execution) The upload handling code in Gallery places uploaded files in a temporary directory. After 30 seconds, these files are deleted if they are not valid images. However, since the file exists for 30 seconds, a carefully crafted script could be initiated by the remote attacker during this 30 second timeout. Note that the temporary directory has to be located inside the webroot and an attacker needs to have upload rights either as an authenticated user or via 'EVERYBODY'. Impact : An attacker could run arbitrary code as the user running PHP. Workaround : There are several workarounds to this vulnerability: Make sure that your temporary directory is not contained in the webroot; by default it is located outside the webroot. Disable upload rights to all albums for 'EVERYBODY'; upload is disabled by default. Disable debug and dev mode; these settings are disabled by default. Disable allow_url_fopen in php.ini." ); # http://archives.neohapsis.com/archives/fulldisclosure/2004-08/0757.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?e29ea6a8" ); # http://gallery.menalto.com/modules.php?op=modload&name=News&file=article&sid=134&mode=thread&order=0&thold=0 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?864e87f5" ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200409-05" ); script_set_attribute( attribute:"solution", value: "All Gallery users should upgrade to the latest version: # emerge sync # emerge -pv '>=www-apps/gallery-1.4.4_p2' # emerge '>=www-apps/gallery-1.4.4_p2'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:gallery"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2004/09/02"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/03"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"www-apps/gallery", unaffected:make_list("ge 1.4.4_p2"), vulnerable:make_list("lt 1.4.4_p2"))) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get()); else security_hole(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Gallery"); }
References
- http://archives.neohapsis.com/archives/fulldisclosure/2004-08/0757.html
- http://gallery.menalto.com/modules.php?op=modload&name=News&file=article&sid=134&mode=thread&order=0&thold=0
- http://www.gentoo.org/security/en/glsa/glsa-200409-05.xml
- http://www.securityfocus.com/bid/10968
- https://exchange.xforce.ibmcloud.com/vulnerabilities/17021