Register | Forget Password | Login
Search :
SecurityReason

News

Search

SecurityAlert

About SecurityAlert

ExploitAlert

SecurityReason Research
WLB

WLB Database

Send to WLB

About WLB
RSS

News

SecurityAlert

World Laboratory of Bugtraq

ExploitAlert

Apache

PHP
Corporate

Contact

About us
Services

SecurePHP
Note

If you have found a vulnerability, please send to our SecurityAlert Database :
secalert()securityreason()com

Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive :
exploit()securityreason()com
Details : SecurityAlert

  Topic : Gallery Input Validation Bug in Processing Internal Cache Files Lets Remote Users Traverse the Directory
  SecurityAlert : 88
  CVE : CVE-2005-3251
  SecurityRisk : Medium  alert  (About)
  Remote Exploit : Yes
  Local Exploit : No
  Exploit Given : Yes
  Credit : Michael Dipper
  Published : 16.10.2005

  Affected Software : Gallery 2.0
Gallery 2.0 Beta 3
Gallery 2.0 Beta 2
Gallery 2.0 Beta 1
Gallery 2.0 Alpha 4
Gallery 2.0 Alpha 3
Gallery 2.0 Alpha 2
Gallery 2.0 Alpha 1
CVS HEAD before 2005-10-13




  Advisory Text :  

Vendor information:

Gallery is an open source web based photo album organizer. The
2.x is a newly released complete rewrite of the application.

Url: http://gallery.menalto.com
Contact: gallery@menalto.com

Vulnerability class:

Input sanitization

Details:

Michael Dipper has discovered an input sanitization issue that
allows users to specially craft a url to access any file on the
server that is accessible by the webserver. The vulnerability
may be used by any visitor to the Gallery, no user login is
required.

Exploit:

The vulnerability may be exploited by accessing a URL like this:

http://example.com/gallery2/main.php
?g2_itemId=/../../../../../../../etc/aliases%00

Internally the Gallery caching code uses this variable to
construct a relative filename to a cache file. Using ../..
elements in the path allow you to escape the Gallery directory
and view files that are not regularly available via the webserver.

Solution:

The Gallery team has released Gallery 2.0.1 which resolves this
security issue by validating the input variable, modifying the
caching code to prevent it from generating paths with '..' in
them, and modifying the choke point on included files to prevent
it from loading files that contain '..' in them.

Download 2.0.1 (including patch files from 2.0) from here:
http://codex.gallery2.org/Gallery2:Download

A big thanks to Michael Dipper for bringing this to our attention
and providing us with lead time to make a patch available before
fully disclosing it.

Vulnerable:
Gallery 2.0
Gallery 2.0 Beta 3
Gallery 2.0 Beta 2
Gallery 2.0 Beta 1
Gallery 2.0 Alpha 4
Gallery 2.0 Alpha 3
Gallery 2.0 Alpha 2
Gallery 2.0 Alpha 1
CVS HEAD before 2005-10-13

Not Vulnerable:
Gallery 1.x
Gallery Remote (all versions)

Credit:
Michael Dipper
http://dipper.info/

History:
20051012 - Initial discovery and reporting
(Michael Dipper, micha-at-dipper.info )
20051013 - Vendor fix released





  Feedback :

If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com.
Alert

*BSD libc (strfmon) Multiple vulnerabilities

high- 2008-03-25

Maksymilian Arciemowicz discovered a Integer Overflow vulnerability in the libc library "strfmon()" function.A vulnerability could allow an attacker who successfully exploits this vulnerability to take control of the affected *BSD systems.
Apache rss

» Apache Tomcat information
   disclosure

» Apache Tomcat <=
   6.0.18 UTF8 Directory
   Traversal Vulnerability

» Apache Tomcat information
   disclosure vulnerability

» Apache Tomcat XSS
   vulnerability
PHP rss

» PHP 5.2.6 (error_log)
   safe_mode bypass

» PHP 5.2.6 chdir(),ftok()
   (standard ext) safe_mode
   bypass

» PHP 5.2.6 posix_access()
   (posix ext) safe_mode
   bypass

» PHP 5.2.5 and prior :
   *printf() functions
   Integer Overflow
Copyright © SecurityReason. All Rights Reserved.