Gallery before 1.5.9, and 2.x before 2.2.6, does not properly handle ZIP archives containing symbolic links, which allows remote authenticated users to conduct directory traversal attacks and read arbitrary files via vectors related to the archive upload (aka zip upload) functionality.
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
| Link | Tags |
|---|---|
| http://security.gentoo.org/glsa/glsa-200811-02.xml | vendor advisory |
| http://secunia.com/advisories/33144 | third party advisory |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/45228 | vdb entry |
| http://secunia.com/advisories/31912 | third party advisory |
| http://secunia.com/advisories/32662 | third party advisory |
| https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00832.html | vendor advisory |
| http://www.securityfocus.com/bid/31231 | vdb entry patch |
| http://gallery.menalto.com/gallery_2.2.6_released | patch |
| http://gallery.menalto.com/gallery_1.5.9_released | patch |
| https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00794.html | vendor advisory |