Gallery 2.0.4 release / 2.1-RC-2a update

Thanks once again to James Bercegay from GulfTech Security Research for tipping us off to a security vulnerability in Gallery 2.0.3 and the 2.1 release candidates. Your installation is only vulnerable if you have the register_globals PHP setting enabled. If you're vulnerable, an attacker can use this to execute a "local inclusion" exploit, or run code that's already on your server. This is especially dangerous if you allow upload privileges to users you don't trust, and your g2data directory is in a predictable location. We have released Gallery 2.0.4 and 2.1-RC-2a to fix this vulnerability, but it's also very easily patched by hand if you don't want to install a complete update. Read on for more details on how to quickly secure your Gallery install.

This vulnerability affects all versions of Gallery 2.x, but Gallery 1.x is not affected. If you're using Gallery 2.x we strongly recommend that you upgrade or secure your Gallery installation as soon as possible!

Note: As with 2.1-RC2, if you have problems with this release candidate please discuss them in the Gallery 2.1 RC2 Forum Topic. Thanks!

There are several quick and easy ways to secure your Gallery installation from this particular exploit. Pick whichever one of these makes the most sense to you. You only need to do one of these!
  1. The easiest way to secure your Gallery 2 install, either in 2.0.x or 2.1 is to simply delete the index.php file from inside your upgrade and install directories. When you next do an upgrade, you'll get a new, secure copy of these files. In the meantime you won't be able to run the install/upgrade code (but if your Gallery is working fine, you won't miss it).
  2. If you're using 2.0.x, we have provided update files that contain the minimum files you need to get your Gallery up to date. Follow the upgrading instructions to apply the patch.
  3. Turn off the register_globals PHP setting. Edit your server's php.ini file and find a line like this: [code] register_globals = On [/code] and change it to: [code] register_globals = Off [/code] then restart your webserver.
  4. Edit upgrade/index.php. The first line should be <?php. On the second line add the following: [code] $stepOrder = array(); [/code] Repeat this for install/index.php.
  5. If you have problems, please ask for help in the Gallery 2 Installation and Configuration Help forum

I've submitted a gallery-2.0.4 ebuild to the gentoo developers, same as I have for 2.0.2 and 2.0.3 :)
_________________________________
Support & Documentation || Donate to Gallery || My Website

the 2.1-RC-2a update is NOT working for me, it goes back to step 1 after last step

ps. how do I execute the cleanup.sh script

schultmc's picture

Version 2.0.4-1 of the Debian gallery2 package was uploaded to Debian unstable on Saturday, March 11, 2006 and will be available in Debian unstable after the archive run completes in the afternoon (EST) on Sunday, March 12, 2006.

--
Debian gallery package maintainer

scaturan's picture
NBrady wrote:
the 2.1-RC-2a update is NOT working for me, it goes back to step 1 after last step

ps. how do I execute the cleanup.sh script

i think the cleanup script will only work if you have SSH/terminal access:

- review clean.sh with a text editor, verify the contents (if you must)
- type: chmod u+x clean.sh
- move clean.sh into ~/path-to/gallery2/
- execute the script to eradicate the uneeded items by typing: ./clean.sh
- refresh the current installer page you're in (optional)

post your issues at http://gallery.menalto.com/gallery_2.1_RC2_feedback

Ok I had this problem.

Af you noitce the url for steps 1-3 are upgrade/index.php?step=1&PHPSESSID= and on 4 the link is upgrade/index.php?step=4 with out the PHPSESSID=. What I did rather then click next I modified the url from upgrade/index.php?step=3&PHPSESSID= to upgrade/index.php?step=4&PHPSESSID= and worked fine :)

inkpassion wrote:
Ok I had this problem.

Af you noitce the url for steps 1-3 are upgrade/index.php?step=1&PHPSESSID= and on 4 the link is upgrade/index.php?step=4 with out the PHPSESSID=. What I did rather then click next I modified the url from upgrade/index.php?step=3&PHPSESSID= to upgrade/index.php?step=4&PHPSESSID= and worked fine :)

Hhahah very nice! Good little solution! Thnx a bunch!