GLSA-200409-05 : Gallery: Arbitrary command execution

This script is Copyright (C) 2004-2017 Tenable Network Security, Inc.

Synopsis :

The remote Gentoo host is missing one or more security-related

Description :

The remote host is affected by the vulnerability described in GLSA-200409-05
(Gallery: Arbitrary command execution)

The upload handling code in Gallery places uploaded files in a
temporary directory. After 30 seconds, these files are deleted if they
are not valid images. However, since the file exists for 30 seconds, a
carefully crafted script could be initiated by the remote attacker
during this 30 second timeout. Note that the temporary directory has to
be located inside the webroot and an attacker needs to have upload
rights either as an authenticated user or via 'EVERYBODY'.

Impact :

An attacker could run arbitrary code as the user running PHP.

Workaround :

There are several workarounds to this vulnerability:
Make sure that your temporary directory is not contained in the
webroot; by default it is located outside the webroot.
Disable upload rights to all albums for 'EVERYBODY'; upload is
disabled by default.
Disable debug and dev mode; these settings are disabled by
Disable allow_url_fopen in php.ini.

See also :

Solution :

All Gallery users should upgrade to the latest version:
# emerge sync
# emerge -pv '>=www-apps/gallery-1.4.4_p2'
# emerge '>=www-apps/gallery-1.4.4_p2'

Risk factor :

High / CVSS Base Score : 7.5
CVSS Temporal Score : 7.1
Public Exploit Available : true

Family: Gentoo Local Security Checks

Nessus Plugin ID: 14652 (gentoo_GLSA-200409-05.nasl)

Bugtraq ID:

CVE ID: CVE-2004-1466

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now