galleryFlaws.txt

galleryFlaws.txt: Posted Dec 2, 2005; Authored by Bharat Mediratta; Gallery versions below 2.0.2 are susceptible to cross site scripting, arbitrary file viewing, and more.; tags | advisory, arbitrary, xss; SHA-256 | 2c5393607259ccfb2aa2a700aa8d219403e22be70086c84c95060151911f5edb; Download | Favorite | View

galleryFlaws.txt


Gallery is an open source web based photo album organizer.  The
2.x is a newly released complete rewrite of the application.

    Url: http://gallery.menalto.com
    Contact: gallery@menalto.com

An internal security audit turned up 3 separate vulnerabilities.  These 
are all resolved in Gallery 2.0.2, released on 11/28/2005 and available
here:

    http://codex.gallery2.org/index.php/Gallery2:Download

Vulnerabilities:

1.  The installer records information in an install log that is stored 
in the gallery data directory.  An attacker can discover the location of 
this directory and read this file to discover information about the 
Gallery installation.  The Gallery installer recommends that you put the 
gallery data directory outside of your webserver's document root, and 
allows you to name this directory anything that you choose, however if 
the user may choose to put it in an obvious place.  Site administrators 
can delete this file by hand to disarm the flaw.

2.  The "Add Image From Web" feature is vulnerable to executing 
javascript embedded inside <img> tags on the target page and can be 
exploited via XSS that way.  This requires the attacker to trick the a 
Gallery user into loading images from that page.

3.  The zipcart module, if installed and activated can be used to view 
any files on the webserver that are visible to the webserver user. 
Gallery is delivered in 4 flavors (minimal, typical, full, developer). 
The zipcart module is not included in the minimal or typical packages. 
It is also not installed by default.  It must be manually selected for 
install and activation by the Gallery site administrator.  Site 
administrators can deactivate this module to disarm the flaw.

Vulnerable:
    Gallery 2.0.1       (all flaws)
    Gallery 2.0         (all flaws)
    Gallery 2.0 RC 2    (all flaws)
    Gallery 2.0 RC 1    (all flaws)
    Gallery 2.0 Beta 3  (xss and zipcart flaws only)
    Gallery 2.0 Beta 2  (xss and zipcart flaws only)
    Gallery 2.0 Beta 1  (xss and zipcart flaws only)
    Gallery 2.0 Alpha 4 (xss and zipcart flaws only)
    Gallery 2.0 Alpha 3 (xss and zipcart flaws only)
    Gallery 2.0 Alpha 2 (xss flaw only)
    Gallery 2.0 Alpha 1 (xss flaw only)
    CVS HEAD before 2005-11-26

Not Vulnerable:
    Gallery 1 (all versions)
    Gallery Remote (all versions)

Top Authors In Last 30 Days

Red Hat 267 files
indoushka 178 files
Jay Turla 150 files
Ubuntu 74 files
h00die 54 files
juan vazquez 43 files
sinn3r 41 files
H D Moore 31 files
Gentoo 24 files
Karn Ganeshen 23 files

File Archives

Systems

AIX (430)
Apple (2,115)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,125)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,591)
HPUX (881)
iOS (390)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,312)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (16,885)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,861)
UNIX (9,458)
UnixWare (188)
Windows (6,772)
Other

galleryFlaws.txt

galleryFlaws.txt

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

galleryFlaws.txt

Share This

galleryFlaws.txt

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems