Debian Security Advisory DSA 138-1 (gallery) Network Vulnerability

Summary

The remote host is missing an update to gallery announced via advisory DSA 138-1.

Solution

https://secure1.securityspace.com/smysecure/catid.html?in=DSA%20138-1

Insight

A problem was found in gallery (a web-based photo album toolkit): it was possible to pass in the GALLERY_BASEDIR variable remotely. This made it possible to execute commands under the uid of web-server. This has been fixed in version 1.2.5-7 of the Debian package and upstream version 1.3.1.

Severity

Classification

CVE CVE-2002-1412
CVSS Base Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

Related Vulnerabilities

Debian Security Advisory DSA 028-1 (man-db)
Debian Security Advisory DSA 005-1 (slocate)
Debian Security Advisory DSA 1021-1 (netpbm-free)
Debian Security Advisory DSA 089-1 (icecast-server)
Debian Security Advisory DSA 081-1 (w3m, w3m-ssl)

Take action and discover your vulnerabilities