Security Notices
Gallery 1.4-pl2 *Security Release*
Posted on Sunday, October 12, 2003 @ 19:10:38 CDT
beckett writes "We've been alerted to a security vulnerability in Gallery 1.4 that can allow remote access to your system. It only affects a very small percentage of Unix installations (though it affects all Windows installations). Only the following versions of Gallery have the bug:
* 1.4
* 1.4-pl1
* 1.4.1 (unreleased; prior to build 145)
On Unix, this vulnerability only affects systems where Gallery is left in configuration mode (a relatively small percentage of Gallery users since Gallery is not operational in configuration mode). On Windows, this vulnerability affects anybody using versions of Gallery with the bug. The problem has been fixed in:
* 1.4-pl2 [download here]
* 1.4.1 (unreleased; build 145)
We strongly recommend that you upgrade to 1.4-pl2 immediately. However, if you don't want to install the entire 1.4-pl2 update, there are two simple approches you can take to resolve this problem.
1. Delete gallery/setup/index.php. This will disable the configuration wizard for you until you restore this file or upgrade.
Or
2. Open gallery/setup/index.php in a text editor and change the following lines:
if (!isset($GALLERY_BASEDIR)) {
$GALLERY_BASEDIR = '../';
}
to this:
$GALLERY_BASEDIR = '../';
Note that all we are doing is deleting two lines of code."
|
| | |
|
