The Gallery User Name XSS

2006-01-19T03:33:20
ID OSVDB:22660
Type osvdb
Reporter Peter Schumacher()
Modified 2006-01-19T03:33:20

Description

Vulnerability Description

The Gallery contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the fullname set by users. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Solution Description

Upgrade to version 1.5.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

The Gallery contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the fullname set by users. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

References:

Vendor Specific News/Changelog Entry: http://bugs.gentoo.org/show_bug.cgi?id=119590 Vendor Specific Advisory URL Secunia Advisory ID:18557 Secunia Advisory ID:18627 Secunia Advisory ID:21502 Other Advisory URL: http://security.gentoo.org/glsa/glsa-200601-13.xml Other Advisory URL: http://gallery.menalto.com/page/gallery_1_5_2_release FrSIRT Advisory: ADV-2006-0282 CVE-2006-0330 Bugtraq ID: 16334