GLSA-200409-05 : Gallery: Arbitrary command execution

This script is Copyright (C) 2004-2014 Tenable Network Security, Inc.


Synopsis :

The remote Gentoo host is missing one or more security-related
patches.

Description :

The remote host is affected by the vulnerability described in GLSA-200409-05
(Gallery: Arbitrary command execution)

The upload handling code in Gallery places uploaded files in a
temporary directory. After 30 seconds, these files are deleted if they
are not valid images. However, since the file exists for 30 seconds, a
carefully crafted script could be initiated by the remote attacker
during this 30 second timeout. Note that the temporary directory has to
be located inside the webroot and an attacker needs to have upload
rights either as an authenticated user or via 'EVERYBODY'.

Impact :

An attacker could run arbitrary code as the user running PHP.

Workaround :

There are several workarounds to this vulnerability:
Make sure that your temporary directory is not contained in the
webroot
by default it is located outside the webroot.
Disable upload rights to all albums for 'EVERYBODY'
upload is
disabled by default.
Disable debug and dev mode
these settings are disabled by
default.
Disable allow_url_fopen in php.ini.

See also :

http://www.nessus.org/u?6666e756
http://www.nessus.org/u?864e87f5
http://www.gentoo.org/security/en/glsa/glsa-200409-05.xml

Solution :

All Gallery users should upgrade to the latest version:
# emerge sync
# emerge -pv '>=www-apps/gallery-1.4.4_p2'
# emerge '>=www-apps/gallery-1.4.4_p2'

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)

Family: Gentoo Local Security Checks

Nessus Plugin ID: 14652 (gentoo_GLSA-200409-05.nasl)

Bugtraq ID:

CVE ID: CVE-2004-1466