[VIM] Not Quite: Ivan Gallery Script V.0.1 (index.php) Remote File Include Exploit

[George A. Theall]

Bugtraq 23519 is not quite right. It concerns the Gallery script, 
included as part of the Simple PHP Scripts project on SourceForge, 
http://sourceforge.net/projects/sphp/.

The PoC accompanying the BID tries to exploit the flaw via the 'dir' 
parameter of the 'index.php' script. Let's have a look, though. Code in 
index.php from gallery-0.3.tar.bz2 looks like this:

   $dir = '.';

   session_start();
   if (empty($_SESSION['images']) || isset($_GET['reload']))
   {
     session_destroy();
     session_start();
   ...
   if (!empty($_REQUEST['gallery']))
     $_SESSION['gallery'] = $_REQUEST['gallery'];
   if (!empty($_SESSION['gallery']))
     $dir = $_SESSION['gallery'];
   ...
   if (file_exists($dir.'/gallery.inc.php'))
     include($dir.'/gallery.inc.php');

$dir is initialized early on and the omitted code doesn't offer any 
possibility to override it via, say,  some type of register globals 
emulation. Yet as should be obvious, there is a file include issue that 
can be easily exploited. It's just that an attacker needs to use the 
'gallery' request parameter rather than 'dir' and ensure the session is 
a new one.

Another problem with the advisory is that the call to file_exists() 
above limits the types of remote files that can be included. For 
example, something like 'http://www.different-site.com/cmd.txt' as used 
in the advisory won't fly but something like 
'//computername/share/filename' might.


George
-- 
theall at tenablesecurity.com