File: gentoo_GLSA-200409-05.nasl

package info (click to toggle)
nessus-plugins 2.2.8-1.1
  • links: PTS
  • area: main
  • in suites: etch, etch-m68k
  • size: 15,508 kB
  • ctags: 251
  • sloc: sh: 8,346; ansic: 4,452; pascal: 3,089; perl: 704; makefile: 172; php: 1
file content (72 lines) | stat: -rw-r--r-- 2,754 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
 
# This script was automatically generated from 
#  http://www.gentoo.org/security/en/glsa/glsa-200409-05.xml
# It is released under the Nessus Script Licence.
# The messages are release under the Creative Commons - Attribution /
# Share Alike license. See http://creativecommons.org/licenses/by-sa/2.0/
#
# Avisory is copyright 2001-2005 Gentoo Foundation, Inc.
# GLSA2nasl Convertor is copyright 2004 Michel Arboi <mikhail@nessus.org>

if (! defined_func('bn_random')) exit(0);

if (description)
{
 script_id(14652);
 script_version("$Revision: 1.3 $");
 script_xref(name: "GLSA", value: "200409-05");

 desc = 'The remote host is affected by the vulnerability described in GLSA-200409-05
(Gallery: Arbitrary command execution)


    The upload handling code in Gallery places uploaded files in a temporary
    directory. After 30 seconds, these files are deleted if they are not valid
    images. However, since the file exists for 30 seconds, a carefully crafted
    script could be initiated by the remote attacker during this 30 second
    timeout. Note that the temporary directory has to be located inside the
    webroot and an attacker needs to have upload rights either as an
    authenticated user or via "EVERYBODY".
  
Impact

    An attacker could run arbitrary code as the user running PHP.
  
Workaround

    There are several workarounds to this vulnerability:
    Make sure that your temporary directory is not contained in the
    webroot; by default it is located outside the webroot.
    Disable upload rights to all albums for "EVERYBODY"; upload
    is disabled by default.
    Disable debug and dev mode; these settings are disabled by
    default.
    Disable allow_url_fopen in php.ini.
  
References:
    http://archives.neohapsis.com/archives/fulldisclosure/2004-08/0757.html
    http://gallery.menalto.com/modules.php?op=modload&name=News&file=article&sid=134&mode=thread&order=0&thold=0


Solution: 
    All Gallery users should upgrade to the latest version:
    # emerge sync
    # emerge -pv ">=www-apps/gallery-1.4.4_p2"
    # emerge ">=www-apps/gallery-1.4.4_p2"
  

Risk factor : Medium
';
 script_description(english: desc);
 script_copyright(english: "(C) 2005 Michel Arboi <mikhail@nessus.org>");
 script_name(english: "[GLSA-200409-05] Gallery: Arbitrary command execution");
 script_category(ACT_GATHER_INFO);
 script_family(english: "Gentoo Local Security Checks");
 script_dependencies("ssh_get_info.nasl");
 script_require_keys('Host/Gentoo/qpkg-list');
 script_summary(english: 'Gallery: Arbitrary command execution');
 exit(0);
}

include('qpkg.inc');
if (qpkg_check(package: "www-apps/gallery", unaffected: make_list("ge 1.4.4_p2"), vulnerable: make_list("lt 1.4.4_p2")
)) { security_warning(0); exit(0); }