possible security problem with gallery remote

nuttervm

Joined: 2003-03-24
Posts: 22

Posted: Tue, 2003-04-01 00:35

I'm using Gallery remote v1.0 and gallery 1.3.3 and have created an account on my server for my girlfriend to upload pictures. I changed the permissions on my albums so only the administrator account can make changes or additions. I created an album that she has full control over. When managing the gallery from the web interface the permissions are enforced, but when she adds pics/albums from gallery remote she is able to add things to my galleries.

The gallery remote interface shows my albums as being read only, but doesn't enforce it at all. I figure that people are already aware of this, but it never hurts to speak up

I am running openbsd 3.2-stable and compiled netpbm-9.24, PHP v4.2.3 and unzip-5.50 from the ports snapshot. Apache is 1.3.26 but patched with all of the latest security patches, and is running in an unchrooted environment.

nuttervm

Joined: 2003-03-24
Posts: 22

Posted: Sun, 2003-04-06 20:47

any developers have anything to say about this?

Prime

Joined: 2003-04-22
Posts: 7

Posted: Tue, 2003-04-22 19:45

I'm experiencing exactly the same problem. The existing albums are all set up so that only the owner and admin can add pictures or sub-albums. Works just it should on via the web. However, I can set up a test account with no special authorities, log in with it using Gallery Remote, and can add sub-albums and pictures anywhere I want. This is pretty much a security disaster.

It's a great tool, especially in that it allows the users to sequence the images and create captions before the upload. But since it also so easily allows one user to royally screw up another user's album, I think I'm just going to have to remove the remote php pages and disable the functionality.

nuttervm

Joined: 2003-03-24
Posts: 22

Posted: Tue, 2003-04-22 20:35

What I don't understand is the apparent lack of attention this has gotten from the developers. I can't believe that they would consider this to be a non issue and ignore this for so long (its been almost a month with no reply!)

nuttervm

Joined: 2003-03-24
Posts: 22

Posted: Wed, 2003-05-21 03:10

Have any developers looked into this?

paour

Joined: 2002-08-14
Posts: 1479

Posted: Wed, 2003-05-21 21:04

I'm back from a long 'reverse-sabbatical'. I agree it's a major issue, and I'll get on it with top priority. Thanks for your presistence.

paour

Joined: 2002-08-14
Posts: 1479

Posted: Sun, 2003-05-25 20:52

OK, done. There was an extremely stupid bug in gallery_remote2.php. It's now fixed in Gallery v1.3.4-cvs-b39.

t1m

Joined: 2004-11-15
Posts: 1

Posted: Mon, 2004-11-15 09:20

Hi,

Maybe al little stupid but i have also the same problem.

I'm using Gallery Remote 1.4.2 B6 and Gallery 2 alpha-2.

How can i fix this problem ? I looked for the premissions but they seems alright.

Tnx !

nuttervm Joined: 2003-03-24 Posts: 22	Posted: Tue, 2003-04-01 00:35
	I'm using Gallery remote v1.0 and gallery 1.3.3 and have created an account on my server for my girlfriend to upload pictures. I changed the permissions on my albums so only the administrator account can make changes or additions. I created an album that she has full control over. When managing the gallery from the web interface the permissions are enforced, but when she adds pics/albums from gallery remote she is able to add things to my galleries. The gallery remote interface shows my albums as being read only, but doesn't enforce it at all. I figure that people are already aware of this, but it never hurts to speak up I am running openbsd 3.2-stable and compiled netpbm-9.24, PHP v4.2.3 and unzip-5.50 from the ports snapshot. Apache is 1.3.26 but patched with all of the latest security patches, and is running in an unchrooted environment.
	XUser login Username: * Password: * Create new account Request new password
nuttervm Joined: 2003-03-24 Posts: 22	Posted: Sun, 2003-04-06 20:47
	any developers have anything to say about this?

Prime Joined: 2003-04-22 Posts: 7	Posted: Tue, 2003-04-22 19:45
	I'm experiencing exactly the same problem. The existing albums are all set up so that only the owner and admin can add pictures or sub-albums. Works just it should on via the web. However, I can set up a test account with no special authorities, log in with it using Gallery Remote, and can add sub-albums and pictures anywhere I want. This is pretty much a security disaster. It's a great tool, especially in that it allows the users to sequence the images and create captions before the upload. But since it also so easily allows one user to royally screw up another user's album, I think I'm just going to have to remove the remote php pages and disable the functionality.

nuttervm Joined: 2003-03-24 Posts: 22	Posted: Tue, 2003-04-22 20:35
	What I don't understand is the apparent lack of attention this has gotten from the developers. I can't believe that they would consider this to be a non issue and ignore this for so long (its been almost a month with no reply!)

nuttervm Joined: 2003-03-24 Posts: 22	Posted: Wed, 2003-05-21 03:10
	Have any developers looked into this?

paour Joined: 2002-08-14 Posts: 1479	Posted: Wed, 2003-05-21 21:04
	I'm back from a long 'reverse-sabbatical'. I agree it's a major issue, and I'll get on it with top priority. Thanks for your presistence.

paour Joined: 2002-08-14 Posts: 1479	Posted: Sun, 2003-05-25 20:52
	OK, done. There was an extremely stupid bug in gallery_remote2.php. It's now fixed in Gallery v1.3.4-cvs-b39.

t1m Joined: 2004-11-15 Posts: 1	Posted: Mon, 2004-11-15 09:20
	Hi, Maybe al little stupid but i have also the same problem. I'm using Gallery Remote 1.4.2 B6 and Gallery 2 alpha-2. How can i fix this problem ? I looked for the premissions but they seems alright. Tnx !

possible security problem with gallery remote

XUser login