Gentoo Archives: gentoo-announce

From: Luke Macken <lewk@g.o>
To: gentoo-announce@l.g.o
Cc: bugtraq@×××××××××××××.com, full-disclosure@××××××××××××.com, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 200411-10 ] Gallery: Cross-site scripting vulnerability
Date: Sat, 06 Nov 2004 17:55:46
Message-Id: 1099763620.13635.1.camel@tomservo.rh.rit.edu
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 200411-10:01
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Low
8 Title: Gallery: Cross-site scripting vulnerability
9 Date: November 06, 2004
10 Bugs: #69904
11 ID: 200411-10:01
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 Gallery is vulnerable to cross-site scripting attacks.
19
20 Background
21 ==========
22
23 Gallery is a web application written in PHP which is used to organize
24 and publish photo albums. It allows multiple users to build and
25 maintain their own albums. It also supports the mirroring of images on
26 other servers.
27
28 Affected packages
29 =================
30
31 -------------------------------------------------------------------
32 Package / Vulnerable / Unaffected
33 -------------------------------------------------------------------
34 1 www-apps/gallery < 1.4.4_p4 >= 1.4.4_p4
35
36 Description
37 ===========
38
39 Jim Paris has discovered a cross-site scripting vulnerability in
40 Gallery.
41
42 Impact
43 ======
44
45 By sending a carefully crafted URL, an attacker can inject and execute
46 script code in the victim's browser window, and potentially compromise
47 the users gallery.
48
49 Workaround
50 ==========
51
52 There is no known workaround at this time.
53
54 Resolution
55 ==========
56
57 All Gallery users should upgrade to the latest version:
58
59 # emerge --sync
60 # emerge --ask --oneshot --verbose ">=www-apps/gallery-1.4.4_p4"
61
62 References
63 ==========
64
65 [ 1 ] Gallery Announcement
66 http://gallery.menalto.com/modules.php?op=modload&name=News&file=article&sid=142&mode=thread&order=0&thold=0
67
68 Availability
69 ============
70
71 This GLSA and any updates to it are available for viewing at
72 the Gentoo Security Website:
73
74 http://security.gentoo.org/glsa/glsa-200411-10.xml
75
76 Concerns?
77 =========
78
79 Security is a primary focus of Gentoo Linux and ensuring the
80 confidentiality and security of our users machines is of utmost
81 importance to us. Any security concerns should be addressed to
82 security@g.o or alternatively, you may file a bug at
83 http://bugs.gentoo.org.
84
85 License
86 =======
87
88 Copyright 2004 Gentoo Foundation, Inc; referenced text
89 belongs to its owner(s).
90
91 The contents of this document are licensed under the
92 Creative Commons - Attribution / Share Alike license.
93
94 http://creativecommons.org/licenses/by-sa/1.0

Attachments

File name MIME type
signature.asc application/pgp-signature