Gallery Zipcart Module Arbitrary File Disclosure

This script is Copyright (C) 2006-2013 Tenable Network Security, Inc.


Synopsis :

The remote web server contains a PHP application that has an
information disclosure issue.

Description :

The installation of Gallery hosted on the remote web server allows an
unauthenticated, remote attacker to use the ZipCart module to retrieve
arbitrary files, subject to the privileges of the web server user id.

Note that successful exploitation requires that the ZipCart module is
installed and activated on the Gallery install.

Note that the application is also reportedly affected by a cross-site
scripting vulnerability in the 'Add Image From Web' feature as well as
an information disclosure with the install log
however, Nessus has not
tested for these additional issues.

See also :

http://archives.neohapsis.com/archives/bugtraq/2005-11/0371.html
http://www.securityfocus.com/archive/1/archive/1/418200/100/0/threaded
http://galleryproject.org/gallery_2.0.2_released

Solution :

Deactivate the ZipCart module or upgrade to Gallery version 2.0.2 or
later.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVSS Temporal Score : 4.3
(CVSS2#E:H/RL:OF/RC:C)
Public Exploit Available : true

Family: CGI abuses

Nessus Plugin ID: 21018 (gallery_zipcart_dir_traversal.nasl)

Bugtraq ID: 15614

CVE ID: CVE-2005-4023