Support Forums | Demo Gallery [1.x] [2.x] | Downloads | News | Site Map ]
Nuked Gallery
  Create a FREE account or Login   As a guest, you don't have access to our FULL navigation system.
Gallery Releases
Gallery 2.2.3 Security Fix Release
Posted on Thursday, August 30, 2007 @ 10:04:33 CDT
Gallery 2.2.3 is now available for download. This release adds no new features. It fixes critical application security bugs in the WebDAV and Reupload modules. If the WebDAV or Reupload modules are active in your Gallery we strongly recommend that you either disable them, upgrade them via Downloadable Plugins or perform a complete upgrade to version 2.2.3. Thanks go to Merrick Manalastas and Nicklous Roberts for reporting the issues to the Gallery Security team!

Gallery 2.2.3 is a small security upgrade from 2.2.2 and has the same requirements as 2.2.2. If you haven't upgraded to 2.2.x yet, please refer to the release announcement of Gallery 2.2 for highlights of changes and the requirements of the Gallery 2.2 release.

Read on for more details and upgrade instructions...



Is your Gallery installation affected? You can check whether the WebDAV or Reupload module is active on the Site Admin » Plugins page of your Gallery. If these module are not active, you can safely skip Gallery 2.2.3.

Upgrading instructions:
  • Users of Gallery 2.2 or later versions can upgrade the WebDAV and Reupload modules via Downloadable Plugins from the official plugin repository. This is certainly the fastest and the easiest solution.
  • Upgrading is quick and easy, but if you're upgrading from 2.1 or earlier there are a few things you should know first so be sure to scan the upgrading instructions. Upgrading from Gallery 2.2, 2.2.1 or 2.2.2 is even easier since you don't need to replace all your gallery2/ files, but changed files in the specific modules only.
Security vulnerabilities - Gallery 2.2.3 addresses the following security vulnerabilities:
  • Unauthorized renaming of items possible with WebDAV (reported by Merrick Manalastas)
  • Unauthorized modification and retrieval of item properties possible with WebDAV
  • Unauthorized locking and replacing of items possible with WebDAV
  • Unauthorized editing of data file possible via linked items with Reupload and WebDAV (reported by Nicklous Roberts)

Bounties - As part of Gallery's Bounty Program, Merrick Manalastas will receive a bounty of $500 and Nicklous Roberts a bounty of $200 for reporting the security vulnerabilities to the Gallery Security team. Please remember that to receive the full bounty you should report security issues to security@gallery.menalto.com and not make them public at all (not even in the bug tracker) before we had a chance to fix the issue.

· More about Gallery Topics
· News by dari
Most read story about Gallery Topics:
Updated Gallery Files for phpNuke 6.5


Average Score: 5
Votes: 1


Please take a second and vote for this article:

Excellent
Very Good
Good
Regular
Bad



 Printer Friendly Printer Friendly

 Send to a Friend Send to a Friend





Sponsors: Dedicated ServersDomain NamesWeb HostingDomain Name RegistrationAustralian Web HostingNeckermannLook For GadgetsSwag Listings

10th year online! 2003-2013
Legal • Use of this site consitutes agreement to the Acceptable Use Policy
Hosted by Implosion WorksSourceForge.net Logo • Theme by TonicMedia