TITLE: Gallery "username" Cross-Site Scripting Vulnerability SECUNIA ADVISORY ID: SA13887 VERIFY ADVISORY: http://secunia.com/advisories/13887/ CRITICAL: Less critical IMPACT: Cross Site Scripting WHERE: >From remote SOFTWARE: Gallery 1.x http://secunia.com/product/1933/ DESCRIPTION: Rafel Ivgi has discovered a vulnerability in Gallery, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed to the "username" parameter in "login.php" isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. The vulnerability has been confirmed on version 1.4.4-pl4. Other versions may also be affected. SOLUTION: Edit the source code to ensure that input is properly sanitised. PROVIDED AND/OR DISCOVERED BY: Rafel Ivgi ORIGINAL ADVISORY: http://theinsider.deep-ice.com/texts/advisory69.txt
Good catch Lewk, didn't notice that Secunia changed the affected versions from the initial advisory. web-apps please verify and advise.
I confirmed this with upstream, and -pl5 will be getting released shortly with these fixes.
From Debian Security Advisory DSA 642-1 CAN-2004-1106 Jim Paris discovered a cross site scripting vulnerability which allows code to be inserted by using specially formed URLs. CVE-NOMATCH The upstream developers of gallery have fixed several cases of possible variable injection that could trick gallery to unintended actions, e.g. leaking database passwords. Please make sure this is the same and/or it's fixed too :)
CAN-2004-1106 has been advised in GLSA 200411-10. I assume that the CVE-NOMATCH issue koon mentioned is already fixed since we are using a way newer version of gallery then debian does.
This isn't going to get fixed quickly. Gallery relies on an older version of ImageMagick which has recently disappeared from the tree ... :( Best regards, Stu
When CVS returns, I will package-mask Gallery for now. Best regards, Stu
XSS downgrading severity.
http://gallery.menalto.com/modules.php?op=modload&name=News&file=article&sid=147&mode=thread&order=0&thold=0 Gallery 1.4.4-pl5 is out.
1.4.4-pl5 fixes both the XSS and the issue with ImageMagick. Nothing probably needs to change in the ebuild aside from the version number.
web-apps: please unmask and bump
Looks like swtaylor bumped the ebuild, all arches are marked stable, good catch lewk. Pls enter a changelog entry and post to the bug next time, makes keeping track a little easier. Moving to glsa status since maintainer kept keywords.
GLSA 200501-45 by lewk
Apparently Gallery is still vulnerable? http://www.securityfocus.com/archive/1/389270 web-apps, please verify and advise.
- - - The recent release of 1.4.4-pl5 was meant to resolve some security problems, however after another analysis of the code the fix did not actually fix what it was intended to. 1.4.4-pl6 is now available and should properly fix the security problems. Please see the 1.4.4-pl5 announcement for more information about the security problems. All Gallery users are strongly urged to upgrade to 1.4.4-pl6 immediately, which fixes this problem and will secure your system. Gallery 1.4.4-pl6 can be downloaded from http://sourceforge.net/project/showfiles.php?group_id=7130 -Chris Gallery Project Manager - - - web-apps, please bump.
http://gallery.menalto.com/modules.php?op=modload&name=News&file=article&sid=149&mode=thread&order=0&thold=0 gallery 1.4.4-pl6 released This should fix the unfixed bug
swtaylor strikes again! He bumped -pl6 a few days ago, and retained keywords. Moving to GLSA status.
Security, please vote
I vote YES for an update to the old GLSA.
I will write and UPDATE glsa.
GLSA 200501-45 has been updated, and an UPDATE GLSA sent.