Any Response to Bugtraq security report?

djk

Joined: 2003-01-28
Posts: 5

Posted: Mon, 2003-02-10 15:00

There is a bugtraq vulenerability posted on Brugtraq the recommends not using Gallery 1.3.3 on a shared host web server and is critical to the requirement of turning off safe-mode. Is there a response to these issues? Was Gallery given advance notice of this report before they posted it to Bugtraq?
==================================================
Report text and link below:

http://online.securityfocus.com/archive/1/31116

Quote:

To: BugTraq
Subject: Gallery 1.3.3
Date: Feb 10 2003 12:31AM
Author: error <error@lostinthenoise.net>
Message-ID: <1044837096.32678.50.camel@eris>

Vulnerable: gallery version 1.3.3 (other versions not tested)
Url: gallery.sf.net

Local exploit.

Gallery has a security hole where any other user on the same webserver
can create, modify or destroy photos in a given album directory.

Also Gallery requires that you turn off safe mode.

Each gallery setup needs a temp directory and an album directory.

Gallery accesses the album directory in a manner that requires
permissions of 755.

eg:
drwxr-xr-x 5 www wheel 512 Feb 9 16:02 albums

and inside albums:
ls -l
total 16
drwxrwxr-x 2 www wheel 3584 Feb 9 16:19 album01
drwxrwxr-x 2 www wheel 5120 Feb 9 16:25 album02
-rw-r--r-- 1 www wheel 65 Feb 9 16:02 albumdb.dat
-rw-r--r-- 1 www wheel 65 Feb 9 16:02 albumdb.dat.bak
-rw-r--r-- 1 www wheel 0 Feb 9 14:05 albumdb.dat.lock
-rw-r--r-- 1 www wheel 11 Feb 9 15:42 serial.dat

As a result anyone who has ever set up a gallery before can just have a
cgi running as user www (or whatever user apache is running as) move
files around.

This can be exploited with everything from SSI, perl to even php.

So on shared hosting gallery is a bad idea.

There is no fix for this as of this time.
This is a product of poor default web application security design.

--
error <error@lostinthenoise.net>

[ attachment: (application/pgp-signature) ]

<A HREF="http://online.securityfocus.com/archive/1/311161/2003-02-07/2003-02-13/0" TARGET="_blank">http://online.securityfocus.com/archive/1/311161/2003-02-07/2003-02-13/0</A>

alindeman

Joined: 2002-10-06
Posts: 8194

Posted: Mon, 2003-02-10 22:56

Grrr, stupid people like this make me mad :mad: This is a side effect of any application that uses files created by a web server. There's nothing Gallery can do about it -- it's the Unix permissions system. He says 'poor application development', but what the hell does that mean? He proposes no solution, because there's no good solution unless security is enforced on the OS level by the host.

djk

Joined: 2003-01-28
Posts: 5

Posted: Tue, 2003-02-11 00:11

Would it be possible for somebody on the Gallery development team to write a 'postive' response to the bugtraq report. Though it would difficult, if not impossible, to write an program that would not allow what was reported it would be good to show that the community is interested in improving and providing as secure a product as possible and is open to discussion.

What bothers me more is that is seems the report was posted without contacting the Gallery team first and allow them to develop a response to the report. I find it unfair and not helpful to have issues reported without at least providing the ones responsible a chance to either correct the issue or have a response to how to handle the issue.

alindeman

Joined: 2002-10-06
Posts: 8194

Posted: Tue, 2003-02-11 00:31

Exactly. Sorry for my loud remarks, however, this guy obviously doesn't know what he is talking about and just wants some air time on BugTraq by posting some exploit that can't be addressed by the Gallery team. The ISP/host must address this by implementing security on the OS level.

djk Joined: 2003-01-28 Posts: 5	Posted: Mon, 2003-02-10 15:00
	There is a bugtraq vulenerability posted on Brugtraq the recommends not using Gallery 1.3.3 on a shared host web server and is critical to the requirement of turning off safe-mode. Is there a response to these issues? Was Gallery given advance notice of this report before they posted it to Bugtraq? ================================================== Report text and link below: http://online.securityfocus.com/archive/1/31116 Quote: To: BugTraq Subject: Gallery 1.3.3 Date: Feb 10 2003 12:31AM Author: error <error@lostinthenoise.net> Message-ID: <1044837096.32678.50.camel@eris> Vulnerable: gallery version 1.3.3 (other versions not tested) Url: gallery.sf.net Local exploit. Gallery has a security hole where any other user on the same webserver can create, modify or destroy photos in a given album directory. Also Gallery requires that you turn off safe mode. Each gallery setup needs a temp directory and an album directory. Gallery accesses the album directory in a manner that requires permissions of 755. eg: drwxr-xr-x 5 www wheel 512 Feb 9 16:02 albums and inside albums: ls -l total 16 drwxrwxr-x 2 www wheel 3584 Feb 9 16:19 album01 drwxrwxr-x 2 www wheel 5120 Feb 9 16:25 album02 -rw-r--r-- 1 www wheel 65 Feb 9 16:02 albumdb.dat -rw-r--r-- 1 www wheel 65 Feb 9 16:02 albumdb.dat.bak -rw-r--r-- 1 www wheel 0 Feb 9 14:05 albumdb.dat.lock -rw-r--r-- 1 www wheel 11 Feb 9 15:42 serial.dat As a result anyone who has ever set up a gallery before can just have a cgi running as user www (or whatever user apache is running as) move files around. This can be exploited with everything from SSI, perl to even php. So on shared hosting gallery is a bad idea. There is no fix for this as of this time. This is a product of poor default web application security design. -- error <error@lostinthenoise.net> [ attachment: (application/pgp-signature) ] <!-- BBCode Start --><A HREF="http://online.securityfocus.com/archive/1/311161/2003-02-07/2003-02-13/0" TARGET="_blank">http://online.securityfocus.com/archive/1/311161/2003-02-07/2003-02-13/0</A><!-- BBCode End -->
	XUser login Username: * Password: * Create new account Request new password
alindeman Joined: 2002-10-06 Posts: 8194	Posted: Mon, 2003-02-10 22:56
	Grrr, stupid people like this make me mad :mad: This is a side effect of any application that uses files created by a web server. There's nothing Gallery can do about it -- it's the Unix permissions system. He says 'poor application development', but what the hell does that mean? He proposes no solution, because there's no good solution unless security is enforced on the OS level by the host.

djk Joined: 2003-01-28 Posts: 5	Posted: Tue, 2003-02-11 00:11
	Would it be possible for somebody on the Gallery development team to write a 'postive' response to the bugtraq report. Though it would difficult, if not impossible, to write an program that would not allow what was reported it would be good to show that the community is interested in improving and providing as secure a product as possible and is open to discussion. What bothers me more is that is seems the report was posted without contacting the Gallery team first and allow them to develop a response to the report. I find it unfair and not helpful to have issues reported without at least providing the ones responsible a chance to either correct the issue or have a response to how to handle the issue.

alindeman Joined: 2002-10-06 Posts: 8194	Posted: Tue, 2003-02-11 00:31
	Exactly. Sorry for my loud remarks, however, this guy obviously doesn't know what he is talking about and just wants some air time on BugTraq by posting some exploit that can't be addressed by the Gallery team. The ISP/host must address this by implementing security on the OS level.

Any Response to Bugtraq security report?

XUser login