====== Input sanitization vulnerability in Gallery G2 ======

 
=== Affected Software ===


    * Gallery 2.0
    * Gallery 2.0 Beta 3
    * Gallery 2.0 Beta 2
    * Gallery 2.0 Beta 1
    * Gallery 2.0 Alpha 4
    * Gallery 2.0 Alpha 3
    * Gallery 2.0 Alpha 2
    * Gallery 2.0 Alpha 1
    * CVS HEAD before 2005-10-13 

=== Not vulnerable to this issue ===

    * Gallery 1.x
    * Gallery 2.0.1 and newer 

=== Vendor ===

http://gallery.sourceforge.net

=== Introduction ===

Gallery is an open source web based photo album organizer. The version 2.x ("G2") is a newly released complete rewrite of the application.
Impact
A vulnerability has been discovered in gallery, which allows remote users unauthorized access to files on the webserver.
Details

A remote user accessing gallery over the web may use specially crafted HTTP parameters to access arbitrary files located on the webserver. All files readable by the webserver process are subject to disclosure. The vulnerability is *not* restricted to the webserver's document root but extends to the whole server file space.
The vulnerabilty may be used by any anonymous user, there is no login to the application required.
Exploit

The vulnerability may be exploited by accessing an URL like this:

http://www.example.com/gallery?g2_itemId=/../../../../../../../../../../../etc/aliases%00

=== Solution ===

Upgrade to version 2.0.1 as soon as possible. The updated version is available for download now.

=== References ===

  * http://www.securityfocus.com/bid/15108
  * http://www.frsirt.com/english/advisories/2005/2110
  * http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3251

=== History ===

    * 20051012 - Initial discovery and reporting (Michael Dipper, micha-at-dipper.info )
    * 20051013 - Vendor includes fixes in the CVS version
    * 20051014 - Patched version 2.0.1 released by the vendor
    * 20051103 - Added references