Description
The register_globals simulation capability in Gallery 1.3.1 through 1.4.1 allows remote attackers to modify the HTTP_POST_VARS variable and conduct a PHP remote file inclusion attack via the GALLERY_BASEDIR parameter, a different vulnerability than CVE-2002-1412.
Product(s):
- Gallery Project Gallery 1.3.1
- Gallery Project Gallery 1.3.2
- Gallery Project Gallery 1.3.3
- Gallery Project Gallery 1.4.1
- Gallery Project Gallery 1.4
- Gallery Project Gallery 1.4 for WordPress
Question to Ask Vendors:
- Can you confirm whether your systems are affected by CVE-2004-2124, and if so, what steps are you currently taking to mitigate this vulnerability?
- What is your estimated timeline for fully resolving CVE-2004-2124 in your products or services, and how will you communicate updates on this issue to us as your customer?
Recommended Actions:
- Check out the advisory links provided below.