Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Gallery 2.x Security Advisory

from [Bharat Mediratta] Network Security [Permanent Link]
Subject: Gallery 2.x Security Advisory
Date: Wed, 30 Nov 2005 01:02:33 -0800 

Gallery is an open source web based photo album organizer.  The
2.x is a newly released complete rewrite of the application.

   Url: http://gallery.menalto.com
   Contact: gallery@menalto.com

An internal security audit turned up 3 separate vulnerabilities. These are all resolved in Gallery 2.0.2, released on 11/28/2005 and available
here:

   http://codex.gallery2.org/index.php/Gallery2:Download

Vulnerabilities:

1. The installer records information in an install log that is stored in the gallery data directory. An attacker can discover the location of this directory and read this file to discover information about the Gallery installation. The Gallery installer recommends that you put the gallery data directory outside of your webserver's document root, and allows you to name this directory anything that you choose, however if the user may choose to put it in an obvious place. Site administrators can delete this file by hand to disarm the flaw.

2. The "Add Image From Web" feature is vulnerable to executing javascript embedded inside <img> tags on the target page and can be exploited via XSS that way. This requires the attacker to trick the a Gallery user into loading images from that page.

3. The zipcart module, if installed and activated can be used to view any files on the webserver that are visible to the webserver user. Gallery is delivered in 4 flavors (minimal, typical, full, developer). The zipcart module is not included in the minimal or typical packages. It is also not installed by default. It must be manually selected for install and activation by the Gallery site administrator. Site administrators can deactivate this module to disarm the flaw.

Vulnerable:
   Gallery 2.0.1       (all flaws)
   Gallery 2.0         (all flaws)
   Gallery 2.0 RC 2    (all flaws)
   Gallery 2.0 RC 1    (all flaws)
   Gallery 2.0 Beta 3  (xss and zipcart flaws only)
   Gallery 2.0 Beta 2  (xss and zipcart flaws only)
   Gallery 2.0 Beta 1  (xss and zipcart flaws only)
   Gallery 2.0 Alpha 4 (xss and zipcart flaws only)
   Gallery 2.0 Alpha 3 (xss and zipcart flaws only)
   Gallery 2.0 Alpha 2 (xss flaw only)
   Gallery 2.0 Alpha 1 (xss flaw only)
   CVS HEAD before 2005-11-26

Not Vulnerable:
   Gallery 1 (all versions)
   Gallery Remote (all versions)

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Gallery 2.x Security Advisory, Bharat Mediratta <=
Previous by Date:  Re: DNS query spam, Florian Weimer
Next by Date:  Re: DNS query spam, Stephen Stuart
Previous by Thread:  possible privilege escalation on QNX Neutrino 6.3.0, pasquale minervini
Next by Thread:  Opera 8.50 DoS with simple java applet, Marc Schoenefeld
Indexes:  [Date] [Thread] [Top] [All Lists]