This script is Copyright (C) 2006-2013 Tenable Network Security, Inc.
The remote web server contains a PHP application that is affected by
an IP spoofing issue.
The version of Gallery hosted on the remote web server allows an
attacker to spoof the IP address with a bogus 'X_FORWARDED_FOR' HTTP
In addition, an authenticated attacker can reportedly leverage this
flaw to launch cross-site scripting attacks by adding comments to a
photo. The application also reportedly fails to validate a session
id before using it, which can be used to delete arbitrary files on
the remote host subject to the privileges of the web server user id
however, Nessus has not tested for these additional issues.
See also :
Upgrade to Gallery 2.0.3 or later.
Risk factor :
Medium / CVSS Base Score : 6.4
CVSS Temporal Score : 5.3
Public Exploit Available : true