___________________ PROBLEM DESCRIPTION Gallery is an open source image management system. Learn more about it at http://gallery.sourceforge.net Gallery has a feature that allows users to search their image captions and descriptions for specific search terms. A typo in the security code of this feature permits a cross site scripting bug that can allow malicious users to craft a URL such that they can execute javascript in your browser. Many thanks to Larry Nguyen for noticing this bug and doing the responsible thing by bringing it to the attention of the Gallery dev team. As always, we react quickly to all notifications about security flaws. You can reproduce this vulnerability by enabling the search feature on Gallery and searching for this term: <script>alert("You are vulnerable")</script> If the resulting search page yields a javascript popup, your Gallery should be patched. _________________ VERSIONS AFFECTED This hole affects all Gallery releases from version 1.1 to 1.3.4. It has been fixed in Gallery v1.3.4-p1 and the Gallery 1.3.5 development branch in CVS. __________________ FIXING THE PROBLEM The fix to this problem is very simple. Pursue one of the following three options: 1. Upgrade to v1.3.4-p1, available now on the Gallery website: http://gallery.sourceforge.net/download.php We provide a complete release of the code as well as a file that contains a patch from 1.3.4 with instructions. -- or -- 2. Edit search.php, locate this line: $searchString = removeTags($searchstring); and replace it with: $searchstring = removeTags($searchstring); -- or -- 3. Delete search.php from your gallery. This will secure your system but will also break the search feature so you will probably want to edit config.php and change this line: $gallery->app->default["showSearchEngine"] = "yes"; to: $gallery->app->default["showSearchEngine"] = "no"; regards, Bharat Mediratta Gallery developer
This archive was generated by hypermail 2b30 : Mon Jul 28 2003 - 09:41:46 PDT