Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 78522 - www-apps/gallery: "username" XSS vulnerability
Summary: www-apps/gallery: "username" XSS vulnerability
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: A4 [glsa] lewk
Depends on: 72036
  Show dependency tree
Reported: 2005-01-18 08:22 UTC by Luke Macken (RETIRED)
Modified: 2005-02-10 09:47 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Luke Macken (RETIRED) gentoo-dev 2005-01-18 08:22:15 UTC
Gallery "username" Cross-Site Scripting Vulnerability



Less critical

Cross Site Scripting

>From remote

Gallery 1.x

Rafel Ivgi has discovered a vulnerability in Gallery, which can be
exploited by malicious people to conduct cross-site scripting

Input passed to the "username" parameter in "login.php" isn't
properly sanitised before being returned to the user. This can be
exploited to execute arbitrary HTML and script code in a user's
browser session in context of an affected site.

The vulnerability has been confirmed on version 1.4.4-pl4. Other
versions may also be affected.

Edit the source code to ensure that input is properly sanitised.

Rafel Ivgi

Comment 1 Sune Kloppenborg Jeppesen gentoo-dev 2005-01-18 09:24:00 UTC
Good catch Lewk, didn't notice that Secunia changed the affected versions from the initial advisory.

web-apps please verify and advise.
Comment 2 Luke Macken (RETIRED) gentoo-dev 2005-01-18 16:57:00 UTC
I confirmed this with upstream, and -pl5 will be getting released shortly with these fixes.
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2005-01-19 01:31:24 UTC
From Debian Security Advisory DSA 642-1

    Jim Paris discovered a cross site scripting vulnerability which
    allows code to be inserted by using specially formed URLs.

    The upstream developers of gallery have fixed several cases of
    possible variable injection that could trick gallery to unintended
    actions, e.g. leaking database passwords.

Please make sure this is the same and/or it's fixed too :)
Comment 4 Stefan Cornelius (RETIRED) gentoo-dev 2005-01-22 04:26:57 UTC
CAN-2004-1106 has been advised in GLSA 200411-10.
I assume that the CVE-NOMATCH issue koon mentioned is already fixed since we are using a way newer version of gallery then debian does.
Comment 5 Stuart Herbert (RETIRED) gentoo-dev 2005-01-23 08:38:37 UTC
This isn't going to get fixed quickly.  Gallery relies on an older version of ImageMagick which has recently disappeared from the tree ... :(

Best regards,
Comment 6 Stuart Herbert (RETIRED) gentoo-dev 2005-01-23 08:47:48 UTC
When CVS returns, I will package-mask Gallery for now.

Best regards,
Comment 7 Sune Kloppenborg Jeppesen gentoo-dev 2005-01-23 10:28:22 UTC
XSS downgrading severity.
Comment 9 Chris Kelly 2005-01-26 08:01:39 UTC
1.4.4-pl5 fixes both the XSS and the issue with ImageMagick.  Nothing probably needs to change in the ebuild aside from the version number.
Comment 10 Thierry Carrez (RETIRED) gentoo-dev 2005-01-27 06:36:52 UTC
web-apps: please unmask and bump
Comment 11 Matthias Geerdsen (RETIRED) gentoo-dev 2005-01-29 13:21:46 UTC
Looks like swtaylor bumped the ebuild, all arches are marked stable, good catch lewk.
Pls enter a changelog entry and post to the bug next time, makes keeping track a little easier.

Moving to glsa status since maintainer kept keywords.
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2005-01-31 01:09:02 UTC
GLSA 200501-45 by lewk
Comment 13 Luke Macken (RETIRED) gentoo-dev 2005-02-02 16:17:20 UTC
Apparently Gallery is still vulnerable?

web-apps, please verify and advise.
Comment 14 Luke Macken (RETIRED) gentoo-dev 2005-02-07 18:12:34 UTC
- - -
The recent release of 1.4.4-pl5 was meant to resolve some security
problems, however after another analysis of the code the fix did not
actually fix what it was intended to. 1.4.4-pl6 is now available and
should properly fix the security problems. Please see the 1.4.4-pl5
announcement for more information about the security problems.

All Gallery users are strongly urged to upgrade to 1.4.4-pl6
immediately, which fixes this problem and will secure your system.

Gallery 1.4.4-pl6 can be downloaded from

Gallery Project Manager
- - -

web-apps, please bump.
Comment 15 James Gilliland 2005-02-07 18:19:41 UTC
gallery 1.4.4-pl6 released
This should fix the unfixed bug
Comment 16 Luke Macken (RETIRED) gentoo-dev 2005-02-10 06:05:28 UTC
swtaylor strikes again!

He bumped -pl6 a few days ago, and retained keywords.  Moving to GLSA status.
Comment 17 Thierry Carrez (RETIRED) gentoo-dev 2005-02-10 06:53:54 UTC
Security, please vote
Comment 18 Sune Kloppenborg Jeppesen gentoo-dev 2005-02-10 08:16:34 UTC
I vote YES for an update to the old GLSA.
Comment 19 Luke Macken (RETIRED) gentoo-dev 2005-02-10 08:23:37 UTC
I will write and UPDATE glsa.
Comment 20 Luke Macken (RETIRED) gentoo-dev 2005-02-10 09:47:17 UTC
GLSA 200501-45 has been updated, and an UPDATE GLSA sent.