SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Multimedia)  >   Gallery Vendors:   Gallery Project
Gallery 'init.php' Authentication Flaw Grants Administrative Access
SecurityTracker Alert ID:  1010364
SecurityTracker URL:  http://securitytracker.com/id/1010364
CVE Reference:   CVE-2004-0522   (Links to External Site)
Updated:  Jun 8 2004
Original Entry Date:  Jun 2 2004
Impact:   User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.2 - 1.4.3-pl1
Description:   A vulnerability was reported in Gallery. A remote user can access the application with administrator privileges.

The vendor reported that a remote user can login to an arbitrary user account (including an administrator's account) without any password by emulating that Gallery is embedded. As a result, a remote user can login to the Gallery application as an administrator and perform any actions on the target Gallery albums.

Impact:   A remote user can gain administrative access to the application.
Solution:   The vendor has released a fixed version (1.4.3-pl2), available at:

http://sourceforge.net/project/showfiles.php?group_id=7130

Vendor URL:  gallery.menalto.com/modules.php?op=modload&name=News&file=article&sid=123&mode=thread&order=0&thold=0 (Links to External Site)
Cause:   Authentication error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jun 2 2004 (Debian Issues Fix) Gallery 'init.php' Authentication Flaw Grants Administrative Access
Debian has released a fix.
Jun 17 2004 (Gentoo Issues Fix) Gallery 'init.php' Authentication Flaw Grants Administrative Access
Gentoo has released a fix.



 Source Message Contents

Subject:  http://gallery.menalto.com/modules.php?op=modload&name=News&file=article&sid=123&mode=thread&order=0&thold=0


http://gallery.menalto.com/modules.php?op=modload&name=News&file=article&sid=123&mode=thread&order=0&thold=0

 > Gallery 1.4.3-pl2 Security Release
 > Posted by: signe on Tuesday, June 01, 2004 - 04:01 PM
	  	
 > Notice: The affects all versions of Gallery from 1.2 to this release:

 > We have discovered a well-hidden but potentially serious security flaw in these versions
 > of Gallery which can allow a hacker to log in to your Gallery as an administrator and
 > perform any actions on your albums. No risk is posed to the webserver-itself or any
 > non-Gallery data. All Gallery users are very strongly urged to upgrade to 1.4.3-pl2
 > immediately, which fixes this serious problem and will secure your system.

 > Gallery 1.4.3-pl2 can be downloaded from the Gallery Download Page.

http://sourceforge.net/project/showfiles.php?group_id=7130


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC