SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Multimedia)  >   Gallery Vendors:   Gallery Project
(Vendor Responds) Re: Gallery Image Management Software Lets Local Users Create or Modify Images
SecurityTracker Alert ID:  1006097
SecurityTracker URL:  http://securitytracker.com/id/1006097
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Feb 13 2003
Impact:   Modification of user information
Vendor Confirmed:  Yes  
Version(s): 1.3.3
Description:   An access control vulnerability was reported in the Gallery image management software. A local user can create, modify, or delete images in an album directory.

It is reported that the software is configured so that the image album directories are user writable by the web server process. A local user with the ability to write and execute CGI scripts can create a CGI script and have the web daemon execute the CGI to manipulate the image files.

Impact:   A local user can create, modify, or delete images.
Solution:   The vendor has responded to say that the issue described is not peculiar to Gallery, but rather, is a general security issue related to the use of shared-servers with weak security policies.

The vendor provides a detailed discussion and some recommendations:

http://gallery.menalto.com/modules.php?op=modload&name=News&file=article&sid=67&mode=thread&order=1&thold=0

Vendor URL:  gallery.menalto.com/modules.php?op=modload&name=News&file=article&sid=67&mode=thread&order=1&thold=0 (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry is a follow-up to the message listed below.
Feb 10 2003 Gallery Image Management Software Lets Local Users Create or Modify Images



 Source Message Contents

Subject:  Gallery shared-server security


http://gallery.menalto.com/modules.php?op=modload&name=News&file=article&sid=67&mode=thread&order=1&thold=0 

The vendor has responded to say that the issue described is not peculiar to Gallery, but rather, is
a general security issue related to the use of shared-servers with weak security policies.  

The vendor provides a detailed discussion and some recommendations.


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC