Information Assurance |
Ily Zislin |
Bugtraq AnalysisRemote exploit in Gallery photo gallery software |
Bugtrack email: Remote exploit in Gallery 1.3.1, 1.3.2, 1.3.3, 1.4 and 1.4.1 Gallery is a photo album/gallery software written in PHP for the websites hosting picture albums. ( http://gallery.sourceforge.net) Bugtrack advisory caught my eye because I use this particular software, and have a lot of friends who do as well. Furthermore, the ease of the exploit was especially disturbing. The problem is caused because Gallery authors incorrectly wrote code to handle situations when register_globals variable is set to disabled in PHP. (The register_globals has been disabled by default in more recent versions of PHP because when it is enabled, many additional security problems arrise). The way Gallery similates the register_globals environment is putting HTTP post variables into the global variables. An issue comes up because a hacker can override HTTP_POST_VARS by constructing a URL as shown below: http://example.com/gallery/init.php?HTTP_POST_VARS=xxx As a result, hacker can override gallery variables, including $GALLERY_BASEDIR and execute PHP injection exploit, or simply gain access to the file system under the user id of the webserver, which is often times root. To prevent the problem, programmers should have followed PHP coding guidelines for use of global variables. PHP authors disabled register_globals specifically because of security issues similar to the one described here. Furthermore, they can check to make sure the hacker is not overriding HTTP_POST_VARS as shown in the code below.
/* START OF NEW CODE */
$scrubList = array('HTTP_GET_VARS', 'HTTP_POST_VARS',
'HTTP_COOKIE_VARS', 'HTTP_POST_FILES');
foreach ($scrubList as $outer) {
foreach ($scrubList as $inner) {
unset(${$outer}[$inner]);
}
}
/* END OF NEW CODE */
In the future, perhaps PHP should implement a built in mechanism to make sure that global variables are not being over written using POST calls. |