Running gallery?

error error at sonic.net
Tue Feb 11 16:25:52 PST 2003




> Maybe I read this wrong, but this doesn't seem to have much to do with
> gallery.  You're going to run into this wherever you have multiple users
> whose cgi's run as the webserver UID, and webserver UID writable files
> and dirs.  CGIwrap would help in this case.

Yes this is true but there are some interesting points.
For one inside your album dir you have .htacces that is configured as
owned by the webserver. Owned, not just r-x or r-- but rwx.

I think that's just as bad as making a file owned by you 777 and who in
their right mind does that?

I will tell you: people that get hacked.

Mind you this doesn't seem like much but it's just a silly way to do
things. There are better ways for just a few files on gallery.

Since you need to install the gallery with a script anyway it should
change ownership to another user outside of www and give www read only.

> The safe_mode thing *is* annoying though.  And gallery doesn't seem to work on
> php 4.3 (because of a register_globals side effect that has been fixed in
> php 4.3)  So there's definitely some code cleanup to be done.  I *think*
> that gallery is reasonably safe if you're running it on a server without
> untrusted users w/cgi access.  Meaning, I don't see any XSS issues with
> form input, or other client side trickery.

Gallery does work for me on 4.3 and it has some errors.
FreeBSD build however.

I agree about that bug some rewriting does need to take place. I did
notice that I don't get errors about that bug if I am logged in as an
admin.

I didn't even attempt to do any XSS or anything like that.
I just abhor content management security like this.
Really my issue is that people should know better but they barely do.
Someone responded to the post and asked for expoloit code because they
still didn't believe it.

I mean the layers of security are just silly.
It should run in safemode at least but it doesn't even do that.
I mean that wouldn't stop this BUT it would stop it if the hosting only
gave out php scripting hosting.
So safemode would stop this but like I said, it even lacks that.

It's not a great program in just a few ways and it beats the pants off
of others in lots of ways.

How many sites are multi user?
Tons.

How many people know this stuff can happen?
I would wager alot less.

> If I'm mistaken, I'd like to know 'cause I have a gallery installation
> up :)

So the irony of this is that I do as well.
I just don't intend on sharing access to the box.
And suExec is a good way to get around this problem.

I really feel that scripts (php, perl, etc) that use this as their
security model are not being smart. (eg: gallery lets the web user
manage everything, even .htaccess!)

It should be a requirement to have suExec for content management
systems.

(hey this is a new thread in itself!)

Mark: Does gracie do this?

Apaches way of handling things is flawed and it should be default.
I understand however their reasons for not doing it (tougher install,
doesn't work right on all platforms because of set uid/gid stuff).

With that said it's a tough spot to be in for people who write stuff
like gallery.

If your entire program can be read by webusers including .htaccess files
it really is not secure and should not be used widespread around the
net.


And what great timing! Here comes a php discussion tonight!

-- 
error <error at sonic.net>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://nblug.org/pipermail/talk/attachments/20030211/94ae59ec/attachment.pgp


More information about the talk mailing list