Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:10467
HistoryDec 01, 2005 - 12:00 a.m.

Gallery 2.x Security Advisory

2005-12-0100:00:00
vulners.com
30
JSON

Gallery is an open source web based photo album organizer. The
2.x is a newly released complete rewrite of the application.

Url: http://gallery.menalto.com
Contact: [email protected]

An internal security audit turned up 3 separate vulnerabilities. These
are all resolved in Gallery 2.0.2, released on 11/28/2005 and available
here:

http://codex.gallery2.org/index.php/Gallery2:Download

Vulnerabilities:

  1. The installer records information in an install log that is stored
    in the gallery data directory. An attacker can discover the location of
    this directory and read this file to discover information about the
    Gallery installation. The Gallery installer recommends that you put the
    gallery data directory outside of your webserver's document root, and
    allows you to name this directory anything that you choose, however if
    the user may choose to put it in an obvious place. Site administrators
    can delete this file by hand to disarm the flaw.

  2. The "Add Image From Web" feature is vulnerable to executing
    javascript embedded inside <img> tags on the target page and can be
    exploited via XSS that way. This requires the attacker to trick the a
    Gallery user into loading images from that page.

  3. The zipcart module, if installed and activated can be used to view
    any files on the webserver that are visible to the webserver user.
    Gallery is delivered in 4 flavors (minimal, typical, full, developer).
    The zipcart module is not included in the minimal or typical packages.
    It is also not installed by default. It must be manually selected for
    install and activation by the Gallery site administrator. Site
    administrators can deactivate this module to disarm the flaw.

Vulnerable:
Gallery 2.0.1 (all flaws)
Gallery 2.0 (all flaws)
Gallery 2.0 RC 2 (all flaws)
Gallery 2.0 RC 1 (all flaws)
Gallery 2.0 Beta 3 (xss and zipcart flaws only)
Gallery 2.0 Beta 2 (xss and zipcart flaws only)
Gallery 2.0 Beta 1 (xss and zipcart flaws only)
Gallery 2.0 Alpha 4 (xss and zipcart flaws only)
Gallery 2.0 Alpha 3 (xss and zipcart flaws only)
Gallery 2.0 Alpha 2 (xss flaw only)
Gallery 2.0 Alpha 1 (xss flaw only)
CVS HEAD before 2005-11-26

Not Vulnerable:
Gallery 1 (all versions)
Gallery Remote (all versions)

JSON