Gallery 3.0.4 remote code execution
Description
Gallery 3.0.4 contains a remote code execution vulnerability in its installation process that allows attackers to inject arbitrary PHP code into the database configuration file. This vulnerability can be exploited by unauthenticated attackers if the installation has not been completed. Additionally, authenticated administrators can exploit a file deletion vulnerability to remove the database.php configuration file, restart the installation process, and inject malicious PHP code. This attack chain can be further enhanced by leveraging a separate XSS vulnerability to obtain administrator privileges.
Remediation
Take the following steps to remediate this vulnerability:
1. Immediate Action: If Gallery 3.0.4 is currently in the installation phase, complete the installation process immediately or restrict network access to the installation interface until it can be completed.
2. Upgrade: Upgrade to the latest stable version of Gallery that addresses these vulnerabilities. Consult the Gallery Project's official website for the most recent secure release.
3. Verify Installation Completion: Ensure that the installation process has been properly completed and that installation scripts are not accessible. Remove or restrict access to installation files and directories after setup is complete.
4. Review Configuration: Inspect the database.php configuration file for any suspicious or unexpected PHP code that may have been injected.
5. Access Controls: Implement network-level access controls to restrict access to administrative interfaces and ensure that only authorized users can reach these endpoints.