Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Multimedia)  >   Gallery Vendors:   Gallery Project
Gallery Image Management Software Discloses Server Files to Remote Authenticated Users
SecurityTracker Alert ID:  1005868
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Dec 30 2002
Impact:   Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.3.2
Description:   A vulnerability was reported in the "Gallery" image management software. A remote authenticated user can view files on the system.

It is reported that a remote user can create a specially crafted URL to view arbitrary files on the system with the privileges of the web server. This is due to a bug in the use of the Windows XP Publishing subsystem that lets the remote user set the GALLERY_BASEDIR variable to an arbitrary directory on the server.

The vendor credits Michael Graff with reporting the flaw.

Impact:   A remote authenticated user can view files on the system with the privileges of the web server.
Solution:   The vendor has issued a fixed version (1.3.3), available at:

Alternately, the vendor has provided directions on how to edit the publish_xp_docs.php file [see the Source Message].

As a workaround, you can delete the 'publish_xp_docs.php' file to disable the vulnerable Windows XP Publishing feature.

Vendor URL: (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (NT), Windows (2000)

Message History:   None.

 Source Message Contents

Subject:  Gallery v1.3.2 allows remote exploit (fixed in 1.3.3)


Gallery is an open source image management system.  Learn more about
it at

Gallery v1.3.2 introduced a new feature that allows users to publish
images to their website-based Gallery using the Windows XP Publishing
subsystem.  This feature introduced a bug that can allow a malicious
user to craft a URL such that they can get remote access to web
server, as the user running the web server.

Many thanks to Michael Graff for noticing this hole and bringing it to
the attention of the Gallery dev team.  It's nice to see folks doing
the right thing with dangerous information.


The only affected official release is Gallery 1.3.2.  However, for
those of you tracking Gallery in CVS, this hole was introduced in
Gallery 1.3.2-cvs-b27 and was closed in Gallery 1.3.3-cvs-b6.


The fix to this problem is very simple.  Pursue one of the following
three options:

1. Upgrade to v1.3.3, available now on the Gallery website:

-- or --

2. Edit your publish_xp_docs.php and near the top of the file, modify
   the code so that this line:

        <?php require($GALLERY_BASEDIR . "init.php"); ?>

   appears after this block:

        // Hack prevention.
        if (!empty($HTTP_GET_VARS["GALLERY_BASEDIR"]) ||
            !empty($HTTP_POST_VARS["GALLERY_BASEDIR"]) ||
            !empty($HTTP_COOKIE_VARS["GALLERY_BASEDIR"])) {
                print "Security violation\n";

-- or --

3.  Delete publish_xp_docs.php.  This will secure your system but will
    also disable the Windows XP Publishing feature.

Bharat Mediratta
Gallery developer


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, LLC