Gallery < 3.0.5 Multiple Vulnerabilities

Medium Nessus Plugin ID 65767

Synopsis

The remote web server contains a PHP application that is affected by multiple vulnerabilities.

Description

According to its version number, the Gallery install hosted on the remote web server is affected by multiple vulnerabilities :

- The application is affected by a cross-site scripting (XSS) vulnerability because it fails to properly sanitize user-supplied input to the 'Module Name' field in the advanced settings. Administrator credentials are required in order to exploit this issue.

- An attacker can delete arbitrary files on the remote host under certain conditions when the 'Watermark' module is activated. After a watermark image file has been uploaded, the name of the image can be altered in the advanced settings section. This altered name is used when deleting the file and can allow an arbitrary file to be deleted. Successful exploitation does require administrator credentials.

- The application is affected by a remote code execution vulnerability when the application has not been fully installed. During the application setup, a user enters database information in which the 'host', 'username', and 'password' fields are not properly sanitized. An unauthenticated, remote attacker can take advantage of this vulnerability by using specially crafted input in the affected fields in order to execute arbitrary code on the remote host.

- The application is reportedly affected by additional cross-site scripting issue related to the version of Flowplayer in use by Gallery.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Gallery 3.0.5 or later.

See Also

http://www.nessus.org/u?31a97ff3

http://galleryproject.org/gallery_3_0_5

Plugin Details

Severity: Medium

ID: 65767

File Name: gallery_305.nasl

Version: 1.8

Type: remote

Family: CGI abuses

Published: 2013/04/02

Updated: 2018/11/15

Dependencies: 65766

Configuration: Enable paranoid mode

Risk Information

Risk Factor: Medium

CVSS v2.0

Base Score: 6.8

Temporal Score: 5.6

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

Vulnerability Information

CPE: cpe:/a:gallery_project:gallery

Required KB Items: www/PHP, www/gallery, Settings/ParanoidReport

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2013/02/21

Vulnerability Publication Date: 2012/07/21

Reference Information

BID: 58172

CWE: 20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990