Menalto Gallery XSS Patch - UPGRADE!

Subject Matter Expert Joined: Feb 23, 2004 Posts: 358

A security flaw was found in Menalto Gallery 1.4.4 pl-4.

Info link HERE

Menalto Gallery wrote:

Several days ago, Rafel Ivgi informed us of a possible cross site scripting (definition) problem in current versions of Gallery. The problem and some similar problems discovered by our team has been addressed in Gallery 2 CVS as well as in this release of 1.4.4-pl5.

As with most other cross site scripting problems, No risk is posed to the webserver itself or any non-Gallery data, but a Gallery install could be compromised using appropriate code.

In addition to the security fix, Gallery 1.4.4-pl5 uses the proper parameters for new versions of ImageMagick and fixes some small issues with PHP 5.

All Gallery users are strongly urged to upgrade to 1.4.4-pl5 immediately, which fixes this problem and will secure your system.

Gallery 1.4.4-pl5 can be downloaded from the Gallery Download Page.

If you use Gallery, please update your software. I've upgraded Menalto before, and it literally only takes a few mins of your time.

PHrEEk

Worker Joined: Apr 14, 2004 Posts: 193

Hmm, I just installed gallery last week, the version ported for nuke from nukedgallery.net. Nothing has been said at their site and am wondering, would I be wrong to use the download from the main site like you suggested?

Posted: Thu Jan 27, 2005 4:35 pm

I don't know what you mean by 'ported', as Menalto Gallery doesn't require a port. You download the filesystem, uncompress to {nuke_root}/modules/gallery and run the install. Upgrading is as simple as downloading the upgrade and overwriting your old filesystem. Version number is maintained in the filesystem, not the DB, so your version will reflect your current filesystem.

Does yours say 1.4.4-pl4 or 1.4.4-pl5?

If it's pl4, your software is vulnerable to the new XSS attack. Download the pl5 upgrade and follow the upgrade instructions.

PHrEEk