The set_time_limit function in Gallery before 1.4.4_p2 deletes non-image files in a temporary directory every 30 seconds after they have been uploaded using save_photos.php, which allows remote attackers to upload and execute execute arbitrary scripts before they are deleted, if the temporary directory is under the web root.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Gallery | Gallery_project | 1.4.4 (including) | 1.4.4 (including) |