Gallery "username" Cross-Site Scripting Vulnerability
SECUNIA ADVISORY ID:
Cross Site Scripting
Rafel Ivgi has discovered a vulnerability in Gallery, which can be
exploited by malicious people to conduct cross-site scripting
Input passed to the "username" parameter in "login.php" isn't
properly sanitised before being returned to the user. This can be
exploited to execute arbitrary HTML and script code in a user's
browser session in context of an affected site.
The vulnerability has been confirmed on version 1.4.4-pl4. Other
versions may also be affected.
Edit the source code to ensure that input is properly sanitised.
PROVIDED AND/OR DISCOVERED BY:
Good catch Lewk, didn't notice that Secunia changed the affected versions from the initial advisory.
web-apps please verify and advise.
I confirmed this with upstream, and -pl5 will be getting released shortly with these fixes.
From Debian Security Advisory DSA 642-1
Jim Paris discovered a cross site scripting vulnerability which
allows code to be inserted by using specially formed URLs.
The upstream developers of gallery have fixed several cases of
possible variable injection that could trick gallery to unintended
actions, e.g. leaking database passwords.
Please make sure this is the same and/or it's fixed too :)
CAN-2004-1106 has been advised in GLSA 200411-10.
I assume that the CVE-NOMATCH issue koon mentioned is already fixed since we are using a way newer version of gallery then debian does.
This isn't going to get fixed quickly. Gallery relies on an older version of ImageMagick which has recently disappeared from the tree ... :(
When CVS returns, I will package-mask Gallery for now.
XSS downgrading severity.
Gallery 1.4.4-pl5 is out.
1.4.4-pl5 fixes both the XSS and the issue with ImageMagick. Nothing probably needs to change in the ebuild aside from the version number.
web-apps: please unmask and bump
Looks like swtaylor bumped the ebuild, all arches are marked stable, good catch lewk.
Pls enter a changelog entry and post to the bug next time, makes keeping track a little easier.
Moving to glsa status since maintainer kept keywords.
GLSA 200501-45 by lewk
Apparently Gallery is still vulnerable?
web-apps, please verify and advise.
- - -
The recent release of 1.4.4-pl5 was meant to resolve some security
problems, however after another analysis of the code the fix did not
actually fix what it was intended to. 1.4.4-pl6 is now available and
should properly fix the security problems. Please see the 1.4.4-pl5
announcement for more information about the security problems.
All Gallery users are strongly urged to upgrade to 1.4.4-pl6
immediately, which fixes this problem and will secure your system.
Gallery 1.4.4-pl6 can be downloaded from
Gallery Project Manager
- - -
web-apps, please bump.
gallery 1.4.4-pl6 released
This should fix the unfixed bug
swtaylor strikes again!
He bumped -pl6 a few days ago, and retained keywords. Moving to GLSA status.
Security, please vote
I vote YES for an update to the old GLSA.
I will write and UPDATE glsa.
GLSA 200501-45 has been updated, and an UPDATE GLSA sent.