Gallery 3.0.4 Security Release Available!
After several extensive internal and external security audits which discovered 22 distinct vulnerabilities, we are releasing Gallery 3.0.4 as a security release. All of the issues require that someone with malicious intent either have an account with edit permissions, or trick a user with edit permissions into clicking on a malicious link. In most cases, this can only lead to a possible XSS vulnerability, but in several instances it allows arbitrary PHP code execution.
We thank the following individuals for reporting these issues: Chalk, Mateusz Goik, James 'albino' Kettle, Emanuel Bronshtein, and Sergey Markov. Due to their efforts, they will each be receiving bounties of $1000 for their help in making Gallery more secure. Read our Bounties page for details and how to submit any security issues you find.
We strongly recommend that all users of Gallery 3 upgrade as soon as possible.
Upgrading Gallery 3
Upgrading is really easy! Unpack the new version, move the var/ directory of the old version to the new version's folder and then either browse to:
or at a shell prompt:
php index.php upgrade
For more detailed upgrade instructions, please refer to
3 User Guide