gallery: cross-site scripting vulnerability
Posted Feb 2, 2006 5:10 UTC (Thu) by mattdm
Parent article: gallery: cross-site scripting vulnerability
Actually, despite what the report says, I think there is a workaround which is valid for many or most deployments of Gallery -- don't give out gallery user accounts to other people. Visitors without a specific Gallery account (only needed to change things on the site) can't set a fullname, so there's no exploit.
I'm not saying it's not bad, just that it doesn't necessarily affect a lot of installations.
to post comments)