Gallery v1.3.4-pl1 security release

We received email this morning from Larry Nguyen, an alert and responsible Gallery user who notified us about a cross-site-scripting flaw in Gallery that affects all released versions from v1.1 to v1.3.4. This security flaw can allow a malicious user to craft a URL that executes Javascript code on your website.

We estimate the security risk of this flaw to be relatively minor, however we take all security issues very seriously. You can download patch instructions or a complete version of Gallery including the new changes from the Download Page on SourceForge.

Read on for more information on the vulnerability, cross site scripting, and a simple one-character-change quick fix.
The simple fix is to edit search.php and change this line:

    $searchString = removeTags($searchstring);


    $searchstring = removeTags($searchstring);

Note that the entire change is in the capitalization of a single letter. This is a very simple fix that you can make trivially with your text editor. To test the error, try searching for the following:

in your Gallery. If it shows a Javascript popup window, then you didn't make the change correctly.

Cross site scripting is a technique where one user manages to embed special Javascript commands into a website such that another user executes them. This javascript code can do a variety of bad things. This particular vulnerability is not as severe, because the user would have to arrange for you to click upon a URL that they send you containing the javascript (since search terms are not saved anywhere in Gallery).

I'm still running Gallery 1.3.3. I confirmed that the problem is present in that version, and that the one character fix works.<br />
<br />
Thanks for the quick response to this issue.

bharat's picture

Oops, I forgot to list the affected versions in my original news story. I've updated the story to mention that this bug is in all versions of Gallery from v1.1 up to v1.3.4. Good catch, rv8!<br />

BorgKing's picture

I'm really wondering about the potential risk here. Since search terms are not saved, is it even possible to damage anything in Gallery?<br />
<br />
If I get it right, the only way this security flaw can have an impact is when I click on a URL with malicious code, and then only my computer could be affected, not my Gallery. Isn't this a potential security risk with every URL?

bharat's picture

The real risk is that somebody sends you a URL to your own Gallery (where you have admin privileges) and that URL contains javascript which emails them your session ID. You click the URL, they get your session id, then they do Bad Things to your gallery. If you can't see the contents of the URL be careful about clicking it!

SamBeckett's picture

I'm patched.<br />
Thanks too<br />
<br />
Is there any way to get on a mailing list from you guys for security news? thanks

schultmc's picture

This XSS vulnerability has been fixed as of version 1.3.4-3 in Debian unstable (uploaded 7/28/2003, should be included in the archive run in the afternoon of 7/29/2003) and in version 1.2.5-8 in Debian stable (Awaiting action by the Debian security team).

schultmc's picture

The version in Debian stable is 1.2.5-8woody1 (See <a href="">DSA-355</a>)