CVE-2004-1466

Gallery < 1.4.4_p2 - Remote Code Execution via Temporary Directory Script Upload

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2004-1466. PoCs published by aCiDBiTS.

AI-analyzed exploit summary This exploit targets a race condition in Gallery 1.4.4's `set_time_limit` function, allowing remote code execution by uploading a malicious PHP script disguised as an image. The script leverages a 30-second delay to execute arbitrary code before the file is verified and discarded.

Description

The set_time_limit function in Gallery before 1.4.4_p2 deletes non-image files in a temporary directory every 30 seconds after they have been uploaded using save_photos.php, which allows remote attackers to upload and execute execute arbitrary scripts before they are deleted, if the temporary directory is under the web root.

Exploits (1)

exploitdb WORKING POC VERIFIED

by aCiDBiTS · phpwebappsphp

https://www.exploit-db.com/exploits/24383

View Code ZIP pw:eip

This exploit targets a race condition in Gallery 1.4.4's `set_time_limit` function, allowing remote code execution by uploading a malicious PHP script disguised as an image. The script leverages a 30-second delay to execute arbitrary code before the file is verified and discarded.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Racy

Target: Gallery 1.4.4

Auth required

Prerequisites: Access to a vulnerable Gallery instance · Valid session (PHPSESSID) · Write permissions in an album

MITRE ATT&CK