Signature Detail
Short Name |
HTTP:PHP:GALLERY:EMBED-AUTH-VAR |
|---|---|
Severity |
High |
Recommended |
No |
Recommended Action |
Drop |
Category |
HTTP |
Release Date |
2004/08/11 |
Update Number |
1213 |
Supported Platforms |
idp-4.0+, isg-3.0+, j-series-9.5+, mx-9.4+, srx-9.2+, srx-branch-9.4+, vsrx-12.1+ |
HTTP: Gallery Embedded USER AUTH Bypass (postvar)
This signature detects attempts to exploit a known vulnerability in Gallery, a Web-based photo album application written in php. Attackers can bypass user authorization to gain administrative privileges.
Extended Description
It has been disclosed that an attacker can bypass Gallery's authentication process, and log in as any user without a password. An attacker can override configuration variables by passing them in GET, POST or cookie arguments. Gallery simulates the 'register_globals' PHP setting by extracting the values of the various $HTTP_ global variables into the global namespace. Therefore, regardless of the 'register_globals' PHP setting, an attacker can override configuration variables. An attacker can change configuration variables and cause Gallery to skip the authentication steps. Versions prior to 1.4.3-pl2 are reported to be vulnerable.
Affected Products
- Debian Linux 3.0.0
- Debian Linux 3.0.0 Alpha
- Debian Linux 3.0.0 Arm
- Debian Linux 3.0.0 Hppa
- Debian Linux 3.0.0 Ia-32
- Debian Linux 3.0.0 Ia-64
- Debian Linux 3.0.0 M68k
- Debian Linux 3.0.0 Mips
- Debian Linux 3.0.0 Mipsel
- Debian Linux 3.0.0 Ppc
- Debian Linux 3.0.0 S/390
- Debian Linux 3.0.0 Sparc
- Gallery 1.4.0
- Gallery 1.4.0 -pl1
- Gallery 1.4.0 -pl2
- Gallery 1.4.1
- Gallery 1.4.2
- Gallery 1.4.3 -pl1
References