CVE-2008-4129 Information

Description

Gallery before 1.5.9 and 2.x before 2.2.6 does not properly handle ZIP archives containing symbolic links which allows remote authenticated users to conduct directory traversal attacks and read arbitrary files via vectors related to the archive upload (aka zip upload) functionality.

Reference

http://gallery.menalto.com/gallery_1.5.9_released http://gallery.menalto.com/gallery_2.2.6_released http://secunia.com/advisories/31912 http://secunia.com/advisories/32662 http://secunia.com/advisories/33144 http://security.gentoo.org/glsa/glsa-200811-02.xml http://www.securityfocus.com/bid/31231 https://exchange.xforce.ibmcloud.com/vulnerabilities/45228 https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00794.html https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00832.html