Gallery 远程目录遍历漏洞

Gallery 远程目录遍历漏洞

漏洞ID 1197608 漏洞类型 路径遍历
发布时间 2005-10-17 更新时间 2005-10-17
图片[1]-Gallery 远程目录遍历漏洞-安全小百科CVE编号 CVE-2005-3251
图片[2]-Gallery 远程目录遍历漏洞-安全小百科CNNVD-ID CNNVD-200510-132
漏洞平台 N/A CVSS评分 6.4
|漏洞来源
https://www.securityfocus.com/bid/89240
https://cxsecurity.com/issue/WLB-2005100044
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200510-132
|漏洞详情
Gallery是一款flash相片和录像画廊制作工具。Gallery2.0(G2)的gallery脚本存在目录遍历漏洞。远程攻击者可以借助g2_itemId参数中的”..”(参数中包含’..’)序列,读取或包含任意文件。
|漏洞EXP
Vendor information:

    Gallery is an open source web based photo album organizer.  The
    2.x is a newly released complete rewrite of the application.

    Url: http://gallery.menalto.com
    Contact: [email protected]

Vulnerability class:

    Input sanitization

Details:

    Michael Dipper has discovered an input sanitization issue that
    allows users to specially craft a url to access any file on the
    server that is accessible by the webserver.  The vulnerability
    may be used by any visitor to the Gallery, no user login is
    required.

Exploit:

    The vulnerability may be exploited by accessing a URL like this:

      http://example.com/gallery2/main.php
         ?g2_itemId=/../../../../../../../etc/aliases%00

    Internally the Gallery caching code uses this variable to
    construct a relative filename to a cache file.  Using ../..
    elements in the path allow you to escape the Gallery directory
    and view files that are not regularly available via the webserver.

Solution:

    The Gallery team has released Gallery 2.0.1 which resolves this
    security issue by validating the input variable, modifying the
    caching code to prevent it from generating paths with '..' in
    them, and modifying the choke point on included files to prevent
    it from loading files that contain '..' in them.

    Download 2.0.1 (including patch files from 2.0) from here:
      http://codex.gallery2.org/Gallery2:Download

    A big thanks to Michael Dipper for bringing this to our attention
    and providing us with lead time to make a patch available before
    fully disclosing it.

Vulnerable:
    Gallery 2.0
    Gallery 2.0 Beta 3
    Gallery 2.0 Beta 2
    Gallery 2.0 Beta 1
    Gallery 2.0 Alpha 4
    Gallery 2.0 Alpha 3
    Gallery 2.0 Alpha 2
    Gallery 2.0 Alpha 1
    CVS HEAD before 2005-10-13

Not Vulnerable:
    Gallery 1.x
    Gallery Remote (all versions)

Credit:
    Michael Dipper
    http://dipper.info/

History:
   20051012 - Initial discovery and reporting
              (Michael Dipper, micha-at-dipper.info )
   20051013 - Vendor fix released

 
|受影响的产品
Gallery Project Gallery 2.0 Beta3

Gallery Project Gallery 2.0 Beta2

Gallery Project Gallery 2.0 Beta1

Gallery Project Gallery 2.0 Alpha4

Gallery Project Gallery 2.0 Alpha3

|参考资料

来源:gallery.menalto.com
链接:http://gallery.menalto.com/gallery_2.0.1_released
来源:MISC
链接:http://www.vuxml.org/freebsd/47bdabcf-3cf9-11da-baa2-0004614cc33d.html
来源:MISC
链接:http://dipper.info/security/20051012/
来源:SREASON
名称:88
链接:http://securityreason.com/securityalert/88
来源:SECUNIA
名称:17205
链接:http://secunia.com/advisories/17205

相关推荐: Sun Solaris Powerd Unspecified Buffer Overflow Vulnerability

Sun Solaris Powerd Unspecified Buffer Overflow Vulnerability 漏洞ID 1096617 漏洞类型 Boundary Condition Error 发布时间 2005-05-24 更新时间 2005-…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享