Zen 2.0

Gallery 2.0.1 and 2.0 has a minor security flaw. Here’s from the gallery web site:

Gallery 2.0.2 is now available for download. This release adds no new features. It fixes a minor XSS exploit, a potential information leak and a file disclosure bug in the zipcart module that could allow remote visitors to view sensitive files on your webserver. These security flaws were discovered during an internal security audit of the Gallery 2 code, and there are no known exploits of them in the wild. However we strongly recommend that you upgrade to version 2.0.2 as soon as possible. If you’re unable to upgrade right away we recommend that you disable the zipcart module until time permits you to upgrade.

I came back today and saw a TON of access from various IPs. It is especially bad since now there seems to be an automated process that checks for this exploit. Ran the following to get the offending IPs:

tail -20000 access_log|grep ‘\.\.\.\.\.\.\/1\.0′|cut -f1 -d’ ‘|sort|uniq

The offending IPs seem to be:

• 12.44.172.92
• 12.44.181.220
• 63.160.77.236

It seems to have crawled the web for URLs that link to the gallery pictures and used those URLs to get to the gallery sites. It looks for both /album and /gallery URLs.

The logs are similar to

12.44.172.92 - - [04/Dec/2005:15:24:56 -0800] “GET /album/sa/ecuador/sa1.html HTTP/1.0″ 302 276 “-” “Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ……/1.0 )” “-”

or

63.160.77.236 - - [04/Dec/2005:15:24:28 -0800] “GET /gallery/main.php?g2_view=core.ShowItem&g2_itemId=12&
g2_GALLERYSID=21831e46358ea023c3289f30b9f7ffb5 HTTP/1.0″ 200 14830 “-” “Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ……/1.0 )” “-”

If you use those URLs, you would get something like

Notice the “System Information” section? It shows a ton of stuff about your setup.

After the upgrade, that whole section will be gone, giving only the “Error Detail” section.