Download Gallery 2.2.5

Version 2.2.5 of Gallery was released today. Gallery is a program written in PHP that can be used to create online photo albums. For example, unlike JAlbum, the photos are stored in a database and a web server is needed to run the whole thing. Others features include the Photo Management option which can automatically create thumbnails, rotate and resize photos, among other things. It is also possible to assign read and/or write rights to the albums and there are countless of them modules to further expand the possibilities or the appearance to adjust. Version 2.2.5 addresses a number of serious security vulnerabilities and an upgrade is strongly recommended. More information can be found in the changelog:

Gallery 2.2.5 addresses the following security vulnerabilities:

• XSS through host and path component of request URL – The complete request URL is now properly sanitized (applying the same input filtering as for all other inputs). This severe vulnerability affects all modules.
• Information disclosure in album-select module – Fixed exposure of album titles through the album-select module when a guest would add a new album to a hidden album.
• Permission escalation through zip archive extraction – No longer creating sub-albums when adding items from a zip archive if the active user does not have the necessary permission to do so.
• Information disclosure through embed.php – embed.php is no longer susceptible to spoofing the remote address and thus no longer discloses the local filesystem path of the Gallery 2 installation folder.
• View permissions not enforced for password protected items – No longer offering the option to protect non-album items directly and only offering the feature for albums since full protection only applies to the items within the album.

[break]