Debian Security Advisory DSA 138-1 (gallery) Network Vulnerability

Summary

The remote host is missing an update to gallery announced via advisory DSA 138-1.

Solution

https://secure1.securityspace.com/smysecure/catid.html?in=DSA%20138-1

Insight

A problem was found in gallery (a web-based photo album toolkit): it was possible to pass in the GALLERY_BASEDIR variable remotely. This made it possible to execute commands under the uid of web-server. This has been fixed in version 1.2.5-7 of the Debian package and upstream version 1.3.1.

Severity

Classification

CVE CVE-2002-1412

CVSS	Base Score: 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P

Related Vulnerabilities

Debian Security Advisory DSA 1011-1 (kernel-patch-vserver, util-vserver)
Debian Security Advisory DSA 1037-1 (zgv)
Debian Security Advisory DSA 012-1 (micq)
Debian Security Advisory DSA 106-1 (rsync)
Debian Security Advisory DSA 099-1 (XChat)

Take action and discover your vulnerabilities