| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 27 Jun 2006 11:52:30 -0700 From: Ralf <ralfoide@...il.com> To: bugtraq@...urityfocus.com Subject: Re: [MajorSecurity #18] Ralf Image Gallery <=0.7.4 - Multiple XSS, Remote File Include and directory traversal vulnerabilities This is a follow up to the security vulnerability described in: http://www.securityfocus.com/archive/1/437818/30/60/threaded As author and maintainer of RIG (a.k.a. the Ralf Image Gallery), I made a fix available upstream yesterday: http://sourceforge.net/project/showfiles.php?group_id=54367 I strongly recommend you grab version 1.0 on Sourceforge or stop using RIG versions 0.6.5-0.7.5 at once. The choice is yours. Summary of the fix: a missing exit statement was missing in the entry point validation. I also added a check to enforce php's register_globals is turned off. More details available here: http://rig.powerpulsar.com/#news I'd usually thank Aesthetico for finding this vulnerability. However given how this was handled I will refrain. I apologize for the long delay in providing this fix, mostly due to having to take my server offline after it had been compromised as a direct consequence of the vulnerability being exposed without prior notification (email logs don't lie, despite whatever claim has been made.) Ralf/
Powered by blists - more mailing lists