|Posted: Thu, 2012-03-15 13:04|
Is there anyone in particular I should contact about security concerns with Gallery 2.3.1? I tried asking on IRC, but I'm not sure anyone was watching the channel at the time. I have seen a few attempts to hack my gallery in the last few days, and I'd like to make sure not only that they were unsuccessful, but that whatever holes they were trying to exploit either get fixed or already have been. Only some of the attempts show up in my Gallery Event Logs, which makes me nervous about the attempts that don't.
Here is one which did make it into the Event Logs. I've replaced the URL listed with "URL_GOES_HERE" in both cases.
Error (ERROR_BAD_PARAMETER) : URL_GOES_HERE can't be parsed in modules/core/classes/GalleryView.class at line 149 (GalleryCoreApi::error)
Request variables: Array
The target URL contains the following:
<?php echo md5("just_a_test");?>
As I mentioned, I see other attempts in my httpd access_log which do not show up on the Gallery Event Logs. I'd be happy to share that information with whoever handles security for Gallery, but I'd prefer to not do so on a public forum.