Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 78522 - www-apps/gallery: "username" XSS vulnerability
Summary: www-apps/gallery: "username" XSS vulnerability
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High minor (vote)
Assignee: Gentoo Security
URL: http://theinsider.deep-ice.com/texts/...
Whiteboard: A4 [glsa] lewk
Keywords:
Depends on: 72036
Blocks:
  Show dependency tree
 
Reported: 2005-01-18 08:22 UTC by Luke Macken (RETIRED)
Modified: 2005-02-10 09:47 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Luke Macken (RETIRED) gentoo-dev 2005-01-18 08:22:15 UTC
TITLE:
Gallery "username" Cross-Site Scripting Vulnerability

SECUNIA ADVISORY ID:
SA13887

VERIFY ADVISORY:
http://secunia.com/advisories/13887/

CRITICAL:
Less critical

IMPACT:
Cross Site Scripting

WHERE:
>From remote

SOFTWARE:
Gallery 1.x
http://secunia.com/product/1933/

DESCRIPTION:
Rafel Ivgi has discovered a vulnerability in Gallery, which can be
exploited by malicious people to conduct cross-site scripting
attacks.

Input passed to the "username" parameter in "login.php" isn't
properly sanitised before being returned to the user. This can be
exploited to execute arbitrary HTML and script code in a user's
browser session in context of an affected site.

The vulnerability has been confirmed on version 1.4.4-pl4. Other
versions may also be affected.

SOLUTION:
Edit the source code to ensure that input is properly sanitised.

PROVIDED AND/OR DISCOVERED BY:
Rafel Ivgi

ORIGINAL ADVISORY:
http://theinsider.deep-ice.com/texts/advisory69.txt
Comment 1 Sune Kloppenborg Jeppesen gentoo-dev 2005-01-18 09:24:00 UTC
Good catch Lewk, didn't notice that Secunia changed the affected versions from the initial advisory.

web-apps please verify and advise.
Comment 2 Luke Macken (RETIRED) gentoo-dev 2005-01-18 16:57:00 UTC
I confirmed this with upstream, and -pl5 will be getting released shortly with these fixes.
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2005-01-19 01:31:24 UTC
From Debian Security Advisory DSA 642-1

CAN-2004-1106
    Jim Paris discovered a cross site scripting vulnerability which
    allows code to be inserted by using specially formed URLs.

CVE-NOMATCH
    The upstream developers of gallery have fixed several cases of
    possible variable injection that could trick gallery to unintended
    actions, e.g. leaking database passwords.

Please make sure this is the same and/or it's fixed too :)
Comment 4 Stefan Cornelius (RETIRED) gentoo-dev 2005-01-22 04:26:57 UTC
CAN-2004-1106 has been advised in GLSA 200411-10.
I assume that the CVE-NOMATCH issue koon mentioned is already fixed since we are using a way newer version of gallery then debian does.
Comment 5 Stuart Herbert (RETIRED) gentoo-dev 2005-01-23 08:38:37 UTC
This isn't going to get fixed quickly.  Gallery relies on an older version of ImageMagick which has recently disappeared from the tree ... :(

Best regards,
Stu
Comment 6 Stuart Herbert (RETIRED) gentoo-dev 2005-01-23 08:47:48 UTC
When CVS returns, I will package-mask Gallery for now.

Best regards,
Stu
Comment 7 Sune Kloppenborg Jeppesen gentoo-dev 2005-01-23 10:28:22 UTC
XSS downgrading severity.
Comment 9 Chris Kelly 2005-01-26 08:01:39 UTC
1.4.4-pl5 fixes both the XSS and the issue with ImageMagick.  Nothing probably needs to change in the ebuild aside from the version number.
Comment 10 Thierry Carrez (RETIRED) gentoo-dev 2005-01-27 06:36:52 UTC
web-apps: please unmask and bump
Comment 11 Matthias Geerdsen (RETIRED) gentoo-dev 2005-01-29 13:21:46 UTC
Looks like swtaylor bumped the ebuild, all arches are marked stable, good catch lewk.
Pls enter a changelog entry and post to the bug next time, makes keeping track a little easier.

Moving to glsa status since maintainer kept keywords.
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2005-01-31 01:09:02 UTC
GLSA 200501-45 by lewk
Comment 13 Luke Macken (RETIRED) gentoo-dev 2005-02-02 16:17:20 UTC
Apparently Gallery is still vulnerable?

http://www.securityfocus.com/archive/1/389270

web-apps, please verify and advise.
Comment 14 Luke Macken (RETIRED) gentoo-dev 2005-02-07 18:12:34 UTC
- - -
The recent release of 1.4.4-pl5 was meant to resolve some security
problems, however after another analysis of the code the fix did not
actually fix what it was intended to. 1.4.4-pl6 is now available and
should properly fix the security problems. Please see the 1.4.4-pl5
announcement for more information about the security problems.

All Gallery users are strongly urged to upgrade to 1.4.4-pl6
immediately, which fixes this problem and will secure your system.

Gallery 1.4.4-pl6 can be downloaded from
http://sourceforge.net/project/showfiles.php?group_id=7130

-Chris
Gallery Project Manager
- - -

web-apps, please bump.
Comment 15 James Gilliland 2005-02-07 18:19:41 UTC
http://gallery.menalto.com/modules.php?op=modload&name=News&file=article&sid=149&mode=thread&order=0&thold=0
gallery 1.4.4-pl6 released
This should fix the unfixed bug
Comment 16 Luke Macken (RETIRED) gentoo-dev 2005-02-10 06:05:28 UTC
swtaylor strikes again!

He bumped -pl6 a few days ago, and retained keywords.  Moving to GLSA status.
Comment 17 Thierry Carrez (RETIRED) gentoo-dev 2005-02-10 06:53:54 UTC
Security, please vote
Comment 18 Sune Kloppenborg Jeppesen gentoo-dev 2005-02-10 08:16:34 UTC
I vote YES for an update to the old GLSA.
Comment 19 Luke Macken (RETIRED) gentoo-dev 2005-02-10 08:23:37 UTC
I will write and UPDATE glsa.
Comment 20 Luke Macken (RETIRED) gentoo-dev 2005-02-10 09:47:17 UTC
GLSA 200501-45 has been updated, and an UPDATE GLSA sent.