Description

"During the installation process it is possible to inject arbitrary PHP code into the database config file, leading to Remote Code Execution (RCE) on the target web server. For successful exploitation by an remote attacker it is required that the installation routine has not yet been completed on the web server.

However, another vulnerability in the administrator interface allows to delete arbitrary files. Thus, it is possible for an administrator to delete the database.php file with this second vulnerability, redo the installation, and inject a PHP backdoor with the first vulnerability. An XSS vulnerability (also reported in this release) can be used to gain admin privileges."

Remediation

Upgrade to the latest version of Gallery.

References

Gallery Project 3.0.4 BugBounty: Remote Code Execution (admin)

Related Vulnerabilities

Server-Side Template Injection

LimeSurvey Improper Neutralization of Formula Elements in a CSV File Vulnerability (CVE-2019-16184)

Magento Observable Differences in Behavior to Error Inputs Vulnerability (CVE-2020-15151)

OpenSSL Improper Authentication Vulnerability (CVE-2023-2975)

MySQL CVE-2022-21489 Vulnerability (CVE-2022-21489)

Severity

High

Classification

CWE-20 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Tags

Code Execution Known Vulnerabilities