Gallery 2.x Security Advisory

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Gallery 2.x Security Advisory
From: Bharat Mediratta <bharat@xxxxxxxxxxx>
Date: Wed, 30 Nov 2005 01:02:33 -0800
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: Mozilla Thunderbird 1.0.6 (Windows/20050716)


Gallery is an open source web based photo album organizer.  The
2.x is a newly released complete rewrite of the application.

   Url: http://gallery.menalto.com
   Contact: gallery@xxxxxxxxxxx

An internal security audit turned up 3 separate vulnerabilities. Theseare all resolved in Gallery 2.0.2, released on 11/28/2005 and available

here:

   http://codex.gallery2.org/index.php/Gallery2:Download

Vulnerabilities:

1. The installer records information in an install log that is storedin the gallery data directory. An attacker can discover the location ofthis directory and read this file to discover information about theGallery installation. The Gallery installer recommends that you put thegallery data directory outside of your webserver's document root, andallows you to name this directory anything that you choose, however ifthe user may choose to put it in an obvious place. Site administratorscan delete this file by hand to disarm the flaw.

2. The "Add Image From Web" feature is vulnerable to executingjavascript embedded inside <img> tags on the target page and can beexploited via XSS that way. This requires the attacker to trick the aGallery user into loading images from that page.

3. The zipcart module, if installed and activated can be used to viewany files on the webserver that are visible to the webserver user.Gallery is delivered in 4 flavors (minimal, typical, full, developer).The zipcart module is not included in the minimal or typical packages.It is also not installed by default. It must be manually selected forinstall and activation by the Gallery site administrator. Siteadministrators can deactivate this module to disarm the flaw.


Vulnerable:
   Gallery 2.0.1       (all flaws)
   Gallery 2.0         (all flaws)
   Gallery 2.0 RC 2    (all flaws)
   Gallery 2.0 RC 1    (all flaws)
   Gallery 2.0 Beta 3  (xss and zipcart flaws only)
   Gallery 2.0 Beta 2  (xss and zipcart flaws only)
   Gallery 2.0 Beta 1  (xss and zipcart flaws only)
   Gallery 2.0 Alpha 4 (xss and zipcart flaws only)
   Gallery 2.0 Alpha 3 (xss and zipcart flaws only)
   Gallery 2.0 Alpha 2 (xss flaw only)
   Gallery 2.0 Alpha 1 (xss flaw only)
   CVS HEAD before 2005-11-26

Not Vulnerable:
   Gallery 1 (all versions)
   Gallery Remote (all versions)

Prev by Date: Re: DNS query spam
Next by Date: Re: DNS query spam
Previous by thread: [SECURITY] [DSA 912-1] New centericq packages fix denial of service
Next by thread: Opera 8.50 DoS with simple java applet
Index(es):
- Date
- Thread