LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

gallery: cross-site scripting vulnerability

Package(s):gallery CVE #(s):
Created:January 26, 2006 Updated:February 1, 2006
Description: Gallery, a web-based photo management system, has an input sanitizing problem with the user's fullname. An attacker can create a specially crafted fullname and inject script code into a victim's browser window in order to compromise the user's gallery.
Alerts:
Gentoo 200601-13 2006-01-26
(Log in to post comments)

gallery: cross-site scripting vulnerability

Posted Feb 2, 2006 5:10 UTC (Thu) by mattdm (guest, #18) [Link]

Actually, despite what the report says, I think there is a workaround which is valid for many or most deployments of Gallery -- don't give out gallery user accounts to other people. Visitors without a specific Gallery account (only needed to change things on the site) can't set a fullname, so there's no exploit.

I'm not saying it's not bad, just that it doesn't necessarily affect a lot of installations.

gallery: cross-site scripting vulnerability

Posted Feb 2, 2006 13:53 UTC (Thu) by jschrod (subscriber, #1646) [Link]

The vulnerability is only in Gallery 1.x.
If you still use Gallery 1.x, update to Gallery 2. It's worth it.

I'm just a user, and not connected to the project. I can only heartily recommend it.

Cheers, Joachim

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds