Gallery XSS security advisory (with fix and patch instructions)

From: Bharat Mediratta (bharat_at_menalto.com)
Date: 07/28/03

  • Next message: Carl Livitt: "Remotely exploitable overflow in mod_mylo for Apache" 
    To: <bugtraq@securityfocus.com>
Date: Sun, 27 Jul 2003 16:19:34 -0700

    ___________________
    PROBLEM DESCRIPTION

    Gallery is an open source image management system. Learn more about
    it at http://gallery.sourceforge.net

    Gallery has a feature that allows users to search their image captions
    and descriptions for specific search terms. A typo in the security code
    of this feature permits a cross site scripting bug that can allow
    malicious users to craft a URL such that they can execute javascript
    in your browser.

    Many thanks to Larry Nguyen for noticing this bug and doing the responsible
    thing by bringing it to the attention of the Gallery dev team. As always,
    we react quickly to all notifications about security flaws.

    You can reproduce this vulnerability by enabling the search feature on
    Gallery and searching for this term:

        <script>alert("You are vulnerable")</script>

    If the resulting search page yields a javascript popup, your Gallery should
    be patched.

    _________________
    VERSIONS AFFECTED

    This hole affects all Gallery releases from version 1.1 to 1.3.4. It
    has been fixed in Gallery v1.3.4-p1 and the Gallery 1.3.5 development
    branch in CVS.
    __________________
    FIXING THE PROBLEM

    The fix to this problem is very simple. Pursue one of the following
    three options:

    1. Upgrade to v1.3.4-p1, available now on the Gallery website:
            http://gallery.sourceforge.net/download.php
       
       We provide a complete release of the code as well as a file that
       contains a patch from 1.3.4 with instructions.

    -- or --

    2. Edit search.php, locate this line:

            $searchString = removeTags($searchstring);

       and replace it with:

            $searchstring = removeTags($searchstring);

    -- or --

    3. Delete search.php from your gallery. This will secure your system but
        will also break the search feature so you will probably want to edit
        config.php and change this line:
            $gallery->app->default["showSearchEngine"] = "yes";
        to:
            $gallery->app->default["showSearchEngine"] = "no";

    regards,
    Bharat Mediratta
    Gallery developer

  • Next message: Carl Livitt: "Remotely exploitable overflow in mod_mylo for Apache"

    Relevant Pages

    • Re: GA AL MS TN OK MO Gallery Wish List & scavenger Hunt
      ... > The Gallery pages are important too! ... Any sign photos of interest ... Any feature of interest as these galleries can grow to state features. ... covered bridges in GA and the old GA 180 bridge over Wolf Creek in ...
      (misc.transport.road)
    • Re: PHP Image Uploader / Viewer
      ... >> safe mode, it just loses a feature or two, mainly dealing with how ... Safe mode prevents Gallery from functioning properly. ... I must be remembering a different feature/software ...
      (Debian-User)
    • Gallery v1.3.2 allows remote exploit (fixed in 1.3.3)
      ... Gallery is an open source image management system. ... Gallery v1.3.2 introduced a new feature that allows users to publish ...
      (Bugtraq)
    • Re: Montage Gallery- NEXT IMAGE BUTTON?
      ... It's in 2002...its called Slideshow Layout you'll see the choice it's where you chose Montage when setting up a gallery ... > Is this feature in FP 2003? ...
      (microsoft.public.frontpage.addins)