Gallery Multiple Vulnerabilities

Posted on Wednesday, December 26, 2007 @ 18:29:02 CST in Security
by Raven

SECUNIA ADVISORY ID: SA28163

VERIFY ADVISORY: http://secunia.com/advisories/28163/

CRITICAL: Highly critical

IMPACT: Security Bypass, Cross Site Scripting, Exposure of sensitive information, System access

SOFTWARE: Gallery 2.x - http://secunia.com/product/5879/

DESCRIPTION: Some vulnerabilities and a weakness have been reported in Gallery, where some have unspecified impacts and others can be exploited by malicious users or malicious people to disclose sensitive information, conduct cross-site scripting attacks, bypass certain security restrictions, and potentially compromise a vulnerable system. The vulnerabilities were reported in versions prior to 2.2.4. Note: In version 2.2.4, the Core module contains enhanced information disclosure protection and includes a fix for an unspecified redirection weakness.

1) An unspecified error within the Publish XP module can be exploited to create and upload files without proper authorisation.

2) An unspecified error within the admin controller of the URL rewrite module can be exploited to include local files.

3) Input passed via file names within the core and add-item modules is not properly sanitised before being returned to a user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

4) An unspecified vulnerability exists within the file extension check of uploaded files in the Core (Gallery application) / MIME module.

5) The Gallery Remote module does not properly verify the permissions for certain GR commands.

6) Certain input passed via HTTP PROPPATCH to the WebDAV module is not properly sanitised before being returned to a user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

7) Unspecified errors within the WebDAV view of the WebDAV module, the comment view of the Comment module, the Print modules, the hotlink protection of the URL rewrite module, and the slideshows of the Slideshow module can be exploited to disclose potentially sensitive information.

8) An unspecified weakness related to proxied request exists within the WebCam module.

SOLUTION: Update to version 2.2.4.

PROVIDED AND/OR DISCOVERED BY: Reported by the vendor.

ORIGINAL ADVISORY: http://gallery.menalto.com/gallery_2.2.4_released