Gallery 3.0.4 Security Release Available!

After several extensive internal and external security audits which discovered 22 distinct vulnerabilities, we are releasing Gallery 3.0.4 as a security release. All of the issues require that someone with malicious intent either have an account with edit permissions, or trick a user with edit permissions into clicking on a malicious link. In most cases, this can only lead to a possible XSS vulnerability, but in several instances it allows arbitrary PHP code execution.

We thank the following individuals for reporting these issues: Chalk, Mateusz Goik, James 'albino' Kettle, Emanuel Bronshtein, and Sergey Markov. Due to their efforts, they will each be receiving bounties of $1000 for their help in making Gallery more secure. Read our Bounties page for details and how to submit any security issues you find.

We strongly recommend that all users of Gallery 3 upgrade as soon as possible.

Upgrading Gallery 3

Upgrading is really easy! Unpack the new version, move the var/ directory of the old version to the new version's folder and then either browse to: http://your-site.com/gallery3/index.php/upgrader or at a shell prompt: php index.php upgrade For more detailed upgrade instructions, please refer to the Gallery 3 User Guide

Got feedback?

If you have any overall feedback, please visit the Gallery 3.0.4 Feedback forum topic and let us know! If you have questions, please visit the Gallery 3 Wiki, the home for Gallery 3 documentation.

scaturan's picture

thank you for the release and to all the researchers for helping mold Gallery into a more secure publishing platform!

__________________________________________________________
liberate your photos with Gallery, make the switch today!

Have just downloaded and installed 3.0.4 (well, you would when it is a security release, wouldn't you?) - but when I try to run I get...
'Gallery is not supported on Windows (PHP reports that you're using: WINNT)'
The second part is correct - but the first part is new to me?
Whilst it is easy to get around this by commenting that particular bit of code and since I am only running (for the moment) on 'localhost' (and the ultimate production environment will be Unix) this is probably not a great issue - but I'd just like to ask - 'Should I just stay with 3.0.3?'

OK - scrub that! I have now seen the posts about Windows support (or lack thereof). I have no concern about the stated position and will just stay with 3.0.3 which doesn't sulk about windows! Once I have got my theme sorted out I'll be using my ISP's Gallery3 (which is on Unix)

ckdake's picture

loptap: Gallery does not officially support windows, but you should upgrade to 3.0.4 to get the security fixes. Commenting out that bit of code is the way to go since you know enough about what you're doing to comment that out and are willing to accept the unknown security risks of running Gallery 3 on an unsupported platform.

I tried to upgrade from 3.0.2 to 3.0.4. I did everything as suggested, when i browse to /upgrader I get the "Your Gallery is Up to Date" message - but when I return to Admin I still see I'm using 3.0.2 version.

Any ideas why this happens? :)

Great to see you're taking security so seriously. Keep up the good work!

Thanks for the feedback - now upgraded to 3.0.4 - and it is working...
[img]http://kg-photography.co.uk/resource/ScreenShot190.jpg[/img]

Now just need to sort out those Permissions!

Ive got my old version all in the webspace

why would downloading only the var directory only, and putting it in the new package update

then ill have to upload the new package, wipe over everything and all my themes/modules will all be lost grrrrrr

floridave's picture
Quote:
and all my themes/modules will all be lost grrrrrr

No they will not.
Perhaps the directions are not clear enough?
Please start a new thread (in the forums) as is it hard to track your issue in the news story.

Dave
_____________________________________________
Blog & G2 || floridave - Gallery Team

Thanks for the update! I'd just like to say that the update method isn't quite as easy as the post says. Read the User Guide instructions for updating! That worked for me.

evobenno wrote:

then ill have to upload the new package, wipe over everything and all my themes/modules will all be lost grrrrrr

erm ... http://codex.gallery2.org/Gallery3:User_guide:Gallery3:Installing_and_upgrading#Upgrading

<yoda>
step 6 and 7 do you must my young padawan
</yoda>

Hi

Maybe one of you guys can help me.

I just upgraded my 3.0.2 gallery to 3.0.4

- created new /gallery3 directory
- moved var/ from my old gallery to the new one
- did run the upgrader which completed fine and gallery shows correctly

But when I login as "admin" and try to set some stuff (e.g. themes, ...) I always get

---
Dang... Page not found!
Hey wait, you're not signed in yet!
Maybe the page exists, but is only visible to authorized users. Please sign in to find out.
---

There is a login form below the message and I can relogin. But this happens again and again...
Occasionally it displays:

---
:-(
Dang... Something went wrong!
We tried really hard, but it's broken.
Talk to your Gallery administrator for help fixing this!
---

After that I must close may browser to get it working again.

I know that I am not the only one with this and I spent almost two hours looking for solutions
but none of the found ones did help or were appropriate.

My system is a Fedora 17 with latest updates.

As I said. It worked on 3.0.2 and broke after upgrading to 3.0.4
Any idea ? Did I miss a step ?

Regards,
Oliver

floridave's picture

You most likly edited the .htaccess file in the original install and did not make the same edits to the new .htaccess file that ships with G3.
Start a new thread in the forums as it is hard to track in a news story.

Dave
_____________________________________________
Blog & G2 || floridave - Gallery Team

Upgrades would be easier if you provided patches...

Hamilcar's picture

Hi there

I upgraded to 3.04. All went well en everything works fine...almost.
I use a lot of search-code in the texts under my photo's. This still works fine, but....
If I remember well in the previous versions after I selected one of the searched pics I saw breadcrumbs to the album(s) of that picture.
Now I see "Roman pictures>>search Nero>> emperor Nero instead of:
Roman pictures>>National museum>>emperor Nero. I would like to know where this picture was found not that it was found
When I try to go back I often get stuck or end up at your error page.

When I tried to do this once more for this comment I noticed this doesn't happen always (but too often)
In the previous version it never happened (to me)

greetings
Vincent

All possible mistakes are made in the past.
We keep making them again and again

floridave's picture

@ Hamilcar, please start a thread in the troubleshooting section of the forums. Hard to track an issue in a news story.

Dave
_____________________________________________
Blog & G2 || floridave - Gallery Team

Hi,

Is there any way to track the fix on security release (v3.0.3 and v3.0.4)?
It said there are critical security fix on vulnerabilities, but cannot find in sourcefoge roadmap tracker.

Can you briefly list out what issues are fixed, therefore we can decide whether it is critical for version upgrade.
Thank you very much.

Hi,
Actually I have upgraded from version 46 to 49 and since I get this message:
"This content cannot be displayed in a frame - To help protect the security of information you enter into this website, the publisher of this content does not allow it to be displayed in a frame."
Is this part of a security improvement?
As I'm using frame forwarding for my webside with hidden url so I can't workarround as soon you are going to my gallery over my subdomain you just get the message reported, when I then click on:
"open this content in a new Window"

It shows the full url and it opens.
This problem is with Internet Explorer, but trying with Firefox it simply shows a blank page. Same with google chrome. Before the update, I just made, it still worked. Version before was 46 now 49.

If this was a security fix, then I can’t use Gallery anymore as I have to use it in frame and I don’t want to put my system vulnerable again by disabling a feature if you blocked it for security reason
Thx

floridave's picture

http://gallery.menalto.com/node/107224#comment-398137

Dave

_____________________________________________
Blog & G2 || floridave - Gallery Team

hi everyone, I am trying to get the rest API URL for the g3 gallery; please how do i go about that because i want to integrate the G3 into my joomla website.

suprsidr's picture

Comments are now locked for this topic.