Monday, April 22, 2013

Security Vulnerability for 2.6.1 Patched

Last week a security company alerted me to a vulnerability in Gallery Server Pro. In certain circumstances, a malicious user can manually construct an HTTP request to upload an arbitrary file to the server that may contain code, which may then be executed with a subsequent HTTP request. A user may also be able to upload a file to any album, even one where the user does not have edit album permission.

The fix is in the file GalleryServerPro.Web.dll (TechInfoSystem.GalleryServerPro.dll in the DotNetNuke version) and can be obtained in the patch listed on the release history page. Copy the DLL to your bin directory. No other action is necessary. (The other files in the patch fix a UI issue with IE10 and are not related to this vulnerability.)

I strongly recommend you apply this patch. It takes only a minute.

The fix has also been applied to the v3 code, so this vulnerability will not be present in the final 3.0 release.

I should stress that in a default installation anonymous users cannot take advantage of this vulnerability. To exploit the issue, the malicious user must already have a user account in the gallery and be logged on. To write a file outside the mediaobjects directory, the admin must have configured the IIS app pool identity to allow writing to those directories.

The source code for 2.6.1 has been updated, so no patch is necessary for that version. If you are curious, the fix is in the file Website\gs\handler\upload.ashx.cs (function SaveFileToServer).

My thanks goes out to the company who responsibly reported this issue and for giving me time to address it and get it into your hands.

Security best practice tips

Here are a few tips to maximize the security of your gallery installation:

  • Create a unique IIS app pool identity that is used solely for the gallery website. Lock down its permissions to read access for web files and read/write access to the App_Data and media objects directory.
  • Store the media objects directory outside the web application root. This has the added benefit of not triggering an app restart when an album is deleted (which deletes the directory, causing ASP.NET to restart the app).
  • Don’t let users enter HTML and especially javascript in titles and caption. These setting are on the User Settings page and are disabled by default.
  • Keep the option ‘Display detailed error message when an exception occurs’ disabled, turning it on for debugging only (Gallery Settings page).
  • Keep debug set to ‘false’ in web.config.
  • Switch to hashed or encrypted passwords for users.
  • Run the app in medium trust. This has a downside, though, in that you can’t take advantage of the features in the GSP Binary Pack.
  • (SQL Server) Use Windows Authentication to connect to the database using the IIS app pool identity and configure the database to give the smallest possible set of permissions to this user. Basically, that means select/execute permission on the views/stored procedures for 2.6 and select/update/insert/delete permission to the tables for 3.0+.

No comments: