Home | Support Forums | Your Account | Gallery [2] | Downloads | News | Site Map ]
Nuked Gallery
  Create a FREE account or Login   As a guest, you don't have access to our FULL navigation system.
Gallery Releases
Gallery 2.2.5 Security Fix Release
Posted on Thursday, June 12, 2008 @ 06:44:38 CDT
Gallery 2.2.5 is now available for download. This release fixes critical security issues, no new features have been added. Users of all previous Gallery 2 versions are strongly encouraged to upgrade to version 2.2.5 as soon as possible! All issues addressed in this release have been discovered in internal security audits.

Since 2.2.5 is a security release, it shares the same installation requirements as 2.2.4. If you haven't upgraded to 2.2.x yet, please review the Gallery 2.2 release notes for highlights of changes and the requirements. Read on for more details and upgrade instructions.

Upgrading Instructions

Upgrading is quick and easy

  • Users of Gallery 2.1 or earlier should review release notes for requirement changes and update all application files.
  • Users of Gallery 2.2 or later (2.2.1, 2.2.2, 2.2.3 or 2.2.4) can use an update file to upgrade specific core files and then upgrade the affected modules via Downloadable Plugins.
  • After the upgrade, users of the Password module should check if any non-album items are password protected directly in their gallery. If this is the case, the password protection should be removed from that item and it should be protected with normal view permissions or moved into an album that is password protected.

Regardless of your Gallery's version, review the upgrading instructions for complete details.

Security Vulnerabilities

Gallery 2.2.5 addresses the following security vulnerabilities:

  • XSS through host and path component of request URL - The complete request URL is now properly sanitized (applying the same input filtering as for all other inputs). This severe vulnerability affects all modules.
  • Information disclosure in album-select module - Fixed exposure of album titles through the album-select module when a guest would add a new album to a hidden album.
  • Permission escalation through zip archive extraction - No longer creating sub-albums when adding items from a zip archive if the active user does not have the necessary permission to do so.
  • Information disclosure through embed.php - embed.php is no longer susceptible to spoofing the remote address and thus no longer discloses the local filesystem path of the Gallery 2 installation folder.
  • View permissions not enforced for password protected items - No longer offering the option to protect non-album items directly and only offering the feature for albums since full protection only applies to the items within the album.
· More about Gallery Topics
· News by dari
Most read story about Gallery Topics:
Updated Gallery Files for phpNuke 6.5


Average Score: 1
Votes: 1


Please take a second and vote for this article:

Excellent
Very Good
Good
Regular
Bad



 Printer Friendly Printer Friendly

 Send to a Friend Send to a Friend





Sponsors: Web HostingDomain NamesDedicated ServersDedicated Web HostingDomain Name RegistrationWeb hosting AustraliaSEO Web DesignWeb Design New YorkSearch Engine OptimizationSearch Engine Optimisation

6th year online! 2003-2008
Legal • Use of this site consitutes agreement to the Acceptable Use Policy
Hosted by Implosion WorksSourceForge.net Logo • Theme by TonicMedia