Recently there was a post on BugTraq, a well known security mailing list that referred to a security hole in Gallery. You should read the post yourself, but the specific issue that the poster was refers to is the fact that on a shared webserver it's possible for other webserver users (ie, other customers of your ISP) to read and write your data files. In this article, I'm going to discuss in detail the problem, explain why this is not a Gallery specific issue, help you to understand if you're at risk, and outline the steps that you can take to increase your security.

Jason Trommeter writes "I've just started a new website called Scrapblog.com. I'd like to make it into a community photo gallery for people who have blogs and want to post photos, but aren't able to install Gallery on their own servers.". It looks pretty cool. Sign up and publish your photos with them!

This release is primarily aimed at fixing a variety of small bugs that have existed in Gallery for a few releases, as well as a couple of fairly serious bugs (including a very serious SECURITY bug that can lead to a remote exploit) that were introduced in the version 1.3.2. If you are using the 1.3.2 release we STRONGLY RECOMMEND that you upgrade to 1.3.3 as soon as possible to minimize the possibility of a web server compromise.

We have discovered (thanks to Michael Graff!) a security hole in Gallery 1.3.2 that can lead to a potential remote exploit of your web server by a malicious user. This hole has been patched in version 1.3.3 which will be available for download by midnight 12/27/2002 PST. If you are using the official Gallery 1.3.2 release, or a CVS release between Gallery 1.3.2 build 27 to Gallery 1.3.3 build 5 (inclusive), then we STRONGLY recommend that you upgrade to Gallery 1.3.3 or apply the security patch detailed below.

The holiday season is upon us! This means it's time for me to try like the dickens to spend time with my family. I'll be taking a break from answering questions in the support forums and by private message from now until after Christmas (or possibly after New Year's depending on my holiday plans). If you've posted a question, please be patient. I'll be sure to answer any unanswered topics in the help and troubleshooting forums when I get a chance.

In the meantime I'd like to send out a big, huge thanks to beckett and joyoflinux who have each posted over 300 posts on the forums in the last 30 days. By this point they have helped hundreds of people to get their Gallery installs up and running. It's guys like you that make this project a success .. keep up the good work!

-Bharat

Gallery has been using Shutterfly as a print service for over a year now. However, recently we managed to strike a deal with them where we raise the price of photo printing marginally, and that extra money gets donated back to the Gallery project. If you're using Gallery 1.3.2 or newer, you'll find that the price of printing photos has gone up by 2 cents (US). For more details on where this money goes, and how to disable it (if you don't want to donate) read on.