Gallery Input Validation Bug in Processing Internal Cache Files Lets Remote Users Traverse the Directory
SecurityTracker Alert ID: 1015060|
SecurityTracker URL: http://securitytracker.com/id/1015060
(Links to External Site)
Date: Oct 14 2005
Disclosure of system information, Disclosure of user information|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes |
A vulnerability was reported in Gallery. A remote user can view files on the target system.|
The 'main.php' script does not properly validate user-supplied input in the 'g2_itemID' parameter. A remote user can supply a specially crafted parameter value containing '../' directory traversal characters to view arbitrary files on the target system.
The flaw resides in the internal cache processing code.
A demonstration exploit URL is provided:
The vendor was notified on October 12, 2005.
Michael Dipper discovered this vulnerability.
A remote user can view files on the target system with the privileges of the target web service.|
The vendor has issued a fixed version (2.0.1), available at:|
Patches for 2.0 are also available at that location.
Vendor URL: gallery.menalto.com/ (Links to External Site)
Input validation error|
|Underlying OS: Linux (Any), UNIX (Any), Windows (Any)|
Source Message Contents
Subject: Gallery 2.x Remote File Access Vulnerability|
Gallery is an open source web based photo album organizer. The
2.x is a newly released complete rewrite of the application.
Michael Dipper has discovered an input sanitization issue that
allows users to specially craft a url to access any file on the
server that is accessible by the webserver. The vulnerability
may be used by any visitor to the Gallery, no user login is
The vulnerability may be exploited by accessing a URL like this:
Internally the Gallery caching code uses this variable to
construct a relative filename to a cache file. Using ../..
elements in the path allow you to escape the Gallery directory
and view files that are not regularly available via the webserver.
The Gallery team has released Gallery 2.0.1 which resolves this
security issue by validating the input variable, modifying the
caching code to prevent it from generating paths with '..' in
them, and modifying the choke point on included files to prevent
it from loading files that contain '..' in them.
Download 2.0.1 (including patch files from 2.0) from here:
A big thanks to Michael Dipper for bringing this to our attention
and providing us with lead time to make a patch available before
fully disclosing it.
Gallery 2.0 Beta 3
Gallery 2.0 Beta 2
Gallery 2.0 Beta 1
Gallery 2.0 Alpha 4
Gallery 2.0 Alpha 3
Gallery 2.0 Alpha 2
Gallery 2.0 Alpha 1
CVS HEAD before 2005-10-13
Gallery Remote (all versions)
20051012 - Initial discovery and reporting
(Michael Dipper, micha-at-dipper.info )
20051013 - Vendor fix released