PT-2004-3020 · Gallery · Gallery
Fred
+1
·
Published
2004-12-31
·
Updated
2017-07-11
·
CVE-2004-2124
CVSS v2.0
5.0
Medium
| Vector | AV:N/AC:L/Au:N/C:N/I:P/A:N |
Name of the Vulnerable Software and Affected Versions
Gallery versions 1.3.1 through 1.4.1
Description
The issue allows remote attackers to modify the
HTTP POST VARS variable and conduct a PHP remote file inclusion attack via the GALLERY BASEDIR parameter.Recommendations
For Gallery versions 1.3.1 through 1.4.1, consider disabling the register globals simulation capability as a temporary workaround until a patch is available. Restrict access to the
GALLERY BASEDIR parameter to minimize the risk of exploitation.Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Gallery