Gallery < 3.0.5 Multiple Vulnerabilities

medium Nessus Plugin ID 65767

Synopsis

The remote web server contains a PHP application that is affected by multiple vulnerabilities.

Description

According to its version number, the Gallery install hosted on the remote web server is affected by multiple vulnerabilities :

- The application is affected by a cross-site scripting (XSS) vulnerability because it fails to properly sanitize user-supplied input to the 'Module Name' field in the advanced settings. Administrator credentials are required in order to exploit this issue.

- An attacker can delete arbitrary files on the remote host under certain conditions when the 'Watermark' module is activated. After a watermark image file has been uploaded, the name of the image can be altered in the advanced settings section. This altered name is used when deleting the file and can allow an arbitrary file to be deleted. Successful exploitation does require administrator credentials.

- The application is affected by a remote code execution vulnerability when the application has not been fully installed. During the application setup, a user enters database information in which the 'host', 'username', and 'password' fields are not properly sanitized. An unauthenticated, remote attacker can take advantage of this vulnerability by using specially crafted input in the affected fields in order to execute arbitrary code on the remote host.

- The application is reportedly affected by additional cross-site scripting issue related to the version of Flowplayer in use by Gallery.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Gallery 3.0.5 or later.

See Also

http://www.nessus.org/u?31a97ff3

http://galleryproject.org/gallery_3_0_5

Plugin Details

Severity: Medium

ID: 65767

File Name: gallery_305.nasl

Version: 1.10

Type: remote

Family: CGI abuses

Published: 4/2/2013

Updated: 4/11/2022

Configuration: Enable paranoid mode, Enable thorough checks

Supported Sensors: Nessus

Vulnerability Information

CPE: cpe:/a:gallery_project:gallery

Required KB Items: www/PHP, Settings/ParanoidReport, www/gallery

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2/21/2013

Vulnerability Publication Date: 7/21/2012

Reference Information

BID: 58172

CWE: 20, 442, 629, 711, 712, 722, 725, 74, 750, 751, 79, 800, 801, 809, 811, 864, 900, 928, 931, 990