Support Forums | Demo Gallery [1.x] [2.x] | Downloads | News | Site Map ]
Nuked Gallery
  Create a FREE account or Login   As a guest, you don't have access to our FULL navigation system.
Gallery Releases
Gallery 2.0.4 release / 2.1-RC-2a update
Posted on Saturday, March 11, 2006 @ 17:04:17 CST
Thanks once again to James Bercegay from GulfTech Security Research for tipping us off to a security vulnerability in Gallery 2.0.3 and the 2.1 release candidates. Your installation is only vulnerable if you have the register_globals PHP setting enabled. If you're vulnerable, an attacker can use this to execute a "local inclusion" exploit, or run code that's already on your server. This is especially dangerous if you allow upload privileges to users you don't trust, and your g2data directory is in a predictable location. We have released Gallery 2.0.4 and 2.1-RC-2a to fix this vulnerability, but it's also very easily patched by hand if you don't want to install a complete update. Read on for more details on how to quickly secure your Gallery install.

This vulnerability affects all versions of Gallery 2.x, but Gallery 1.x is not affected. If you're using Gallery 2.x we strongly recommend that you upgrade or secure your Gallery installation as soon as possible!

There are several quick and easy ways to secure your Gallery installation from this particular exploit. Pick whichever one of these makes the most sense to you. You only need to do one of these!
  1. The easiest way to secure your Gallery 2 install, either in 2.0.x or 2.1 is to simply delete the index.php file from inside your upgrade and install directories. When you next do an upgrade, you'll get a new, secure copy of these files. In the meantime you won't be able to run the install/upgrade code (but if your Gallery is working fine, you won't miss it).
  2. If you're using 2.0.x, we have provided update files that contain the minimum files you need to get your Gallery up to date. Follow the upgrading instructions to apply the patch.
  3. Turn off the register_globals PHP setting. Edit your server's php.ini file and find a line like this: 
    register_globals = On
    and change it to: 
    register_globals = Off
    then restart your webserver.
  4. Edit upgrade/index.php. The first line should be . On the second line add the following: 
    $stepOrder = array();
    Repeat this for install/index.php.
    5. If you have problems, please ask for help in the Gallery 2 Installation and Configuration Help forum
· More about Gallery Topics
· News by dari
Most read story about Gallery Topics:
Updated Gallery Files for phpNuke 6.5


Average Score: 0
Votes: 0

Please take a second and vote for this article:

Excellent
Very Good
Good
Regular
Bad



 Printer Friendly Printer Friendly

 Send to a Friend Send to a Friend





Sponsors: Dedicated ServersDomain NamesWeb HostingDomain Name RegistrationAustralian Web HostingNeckermannLook For GadgetsSwag Listings

10th year online! 2003-2013
Legal • Use of this site consitutes agreement to the Acceptable Use Policy
Hosted by Implosion WorksSourceForge.net Logo • Theme by TonicMedia