|
|
Log in / Subscribe / Register

gallery: cross-site scripting vulnerability

Package(s):gallery CVE #(s):
Created:January 26, 2006 Updated:February 1, 2006
Description: Gallery, a web-based photo management system, has an input sanitizing problem with the user's fullname. An attacker can create a specially crafted fullname and inject script code into a victim's browser window in order to compromise the user's gallery.
Alerts:
Gentoo 200601-13 gallery 2006-01-26
to post comments

gallery: cross-site scripting vulnerability

Posted Feb 2, 2006 5:10 UTC (Thu) by mattdm (subscriber, #18) [Link]

Actually, despite what the report says, I think there is a workaround which is valid for many or most deployments of Gallery -- don't give out gallery user accounts to other people. Visitors without a specific Gallery account (only needed to change things on the site) can't set a fullname, so there's no exploit.

I'm not saying it's not bad, just that it doesn't necessarily affect a lot of installations.

gallery: cross-site scripting vulnerability

Posted Feb 2, 2006 13:53 UTC (Thu) by jschrod (subscriber, #1646) [Link]

The vulnerability is only in Gallery 1.x.
If you still use Gallery 1.x, update to Gallery 2. It's worth it.

I'm just a user, and not connected to the project. I can only heartily recommend it.

Cheers, Joachim


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds