TITLE: Gallery Script Insertion and Session Handling Vulnerabilities SECUNIA ADVISORY ID: SA19104 VERIFY ADVISORY: http://secunia.com/advisories/19104/ CRITICAL: Moderately critical IMPACT: Security Bypass, Cross Site Scripting, Manipulation of data WHERE: >From remote SOFTWARE: Gallery 2.x http://secunia.com/product/5879/ DESCRIPTION: James Bercegay has reported some vulnerabilities in Gallery, which can be exploited by malicious people to conduct script insertion attacks and to bypass certain security restrictions. 1) Input passed to "getRemoteHostAddress()" via the X_FORWARDED_FOR HTTP header isn't properly sanitised before being saved. This can be exploited to spoof the IP address that is logged when adding comments in an album, or to execute arbitrary HTML and script code in a user's browser session in context of an affected website when a malicious comment is viewed. 2) Input passed in the session id isn't properly sanitised before being used. This can be exploited to delete arbitrary files accessible to the web server process. The vulnerabilities have been reported in version 2 through 2.0.2. SOLUTION: Update to version 2.0.3. http://codex.gallery2.org/index.php/Gallery2:Download PROVIDED AND/OR DISCOVERED BY: James Bercegay, GulfTech Security Research Team. ORIGINAL ADVISORY: http://gallery.menalto.com/gallery_2.0.3_released http://www.gulftech.org/?node=research&article_id=00106-03022006 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------