FYI... If anyone is using Gallery (excellent photo albums for web),
then you should be updated due to security hole being exploited.

Thanks... Dan.

---------- Forwarded message ----------
Date: Wed, 31 Jul 2002 21:48:53 -0700
From: Bharat Mediratta <bharatmenalto.com>
To: gallery-announcelists.sourceforge.net, gallery-userslists.sourceforge.net
Subject: [Gallery-announce] Security vulnerability in Gallery v1.3

An alert system administrator for an ISP in Norway discovered
a security vulnerability in Gallery yesterday. This security
hole is a serious one; with it a malicious user can install a
backdoor on your system and gain shell access with the same
privileges as your webserver user. It's important that you
realize that there are malicious people exploiting this bug
*right* *now*. Read through to the bottom of this email for
a list of IP addresses of sites that we believe may already
be hacked, and ways to detect if you've been hacked.

We resolved this security issue within a day. However, since
we are right about to release Gallery v1.3.1 we are holding
off on publishing the final v1.3.1 with the fix until we're
sure that the release is stable. The target release date for
v1.3.1 (with the security fix) is Friday 8/2/2002.

_________
UPGRADING

In the meantime, if you would like you can upgrade to our
latest build which is a release candidate and is very stable.
You have two choices for upgrading.

1. If you are using Gallery from CVS, you can simply get the
    latest code from cvs:

        % cd gallery
        % sh configure.sh
        % cvs update
        % sh secure.sh

2. If you are using an official release, you can download a
    daily snapshot with the fix from:

    http://jpmullan.com/galleryupdates

    You should download the newest version (1.3.1-cvs-b11 or
    better).

You can get help on upgrading here:

    http://gallery.sourceforge.net/help.php

We really want to help you through this process, but a flood
of people sending email to the mailing list after having
problems without reading the README/UPGRADING documents will
probably not be well received. Please be considerate of our
time and do at least a *little* reading before you dive in :-)

_____________________
PATCHING YOUR GALLERY

An alternative to doing a full upgrade is to patch the files
that contain the security fix. This is relatively easy to do.
all you need to do is edit these files:
    captionator.php
    errors/configmode.php
    errors/needinit.php
    errors/reconfigure.php
    errors/unconfigured.php

and put these lines at the top of the file:
<?
// Hack prevention.
if (!empty($HTTP_GET_VARS["GALLERY_BASEDIR"]) ||
                    !empty($HTTP_POST_VARS["GALLERY_BASEDIR"]) ||
                    !empty($HTTP_COOKIE_VARS["GALLERY_BASEDIR"])) {
            print "Security violation\n";
                    exit;
                    }
?>

If you are concerned or have doubts, it is also ok to simply
rename or delete these files as a temporary measure until the
official release is available. If your gallery is configured
properly you should not need these files.

________________________
POTENTIALLY HACKED HOSTS

The hackers used Gallery to install a backdoor program on target
systems. Search your system for a program called "bindshell" to
see if you've been hacked.

Also, I was provided with a list of other sites that had downloaded
this backdoor program. It's entirely possible that these sites have
also been hacked. I'm not sure if it's a good idea to publish this
list or not, so I'm going to refer you to the story on the Gallery
website which contains the list. If at some later point somebody
tells me that it's a bad idea to publish it then I'll edit the story.
Hope that's ok.

For help, email discuss-helpmandrakesecure.net; to unsubscribe send a
message to discuss-unsubscribemandrakesecure.net. To visit MandrakeSecure,
go to http://www.mandrakesecure.net/.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]