Gallery 1.4.4-pl3 Security Release

EDIT: There were a number of problems with pl3 so it has been pulled. Look for an updated security release some time today.

Jim Paris discovered a few security problems in Gallery which have been addressed in 1.4.4-pl3. The primary problem is a cross site scripting vulnerability which allows code to be inserted into a Gallery by using specially formed URLs. This code then appears to be part of the Gallery.

No risk is posed to the webserver-itself or any non-Gallery data, but a Gallery install could be compromised using appropriate code.

All Gallery users are very strongly urged to upgrade to 1.4.4-pl3 immediately, which fixes this serious problem and will secure your system.

Gallery 1.4.4-pl3 can be downloaded from the Gallery Download Page.
jumo's picture
Submitted by jumo on Wed, 2004-11-03 00:24.

I upgraded the gallery and now I get a "Error: Requested index [0] out of bounds [16]" (the bounds value is different for each album) instead of the picture. It looks like the patch broke some stuff in the gallery.

Submitted by thechronic on Wed, 2004-11-03 01:27.

I have the same problem... index out of bounds in every album. Make sure to back up the gallery before attempting to install this upgrade!

jumo's picture
Submitted by jumo on Wed, 2004-11-03 02:08.

See "http://gallery.menalto.com/index.php?name=PNphpBB2&file=viewtopic&t=22559" for more information.

Submitted by draco2002 on Wed, 2004-11-03 02:28.

maybe we shouldn't strongly urge the upgrade until we get this problem fixed. <br />
<br />
<br />
Draco

SamBeckett's picture
Submitted by SamBeckett on Wed, 2004-11-03 05:15.

why dont you pull this news untill a patch that works is out. we wouldnt want people to try to exploit