Security Contributors

The following individuals responsibly submitted security vulnerabilities to the Gallery team, and were rewarded with cash bounties. This program is over, but we'd like to continue to recognize their contributions.

• Nick Roberts - $200 (security issue)
• Meric Manalastas - $500 (security issue)
• Russell Lee - $75, Tim Almdal - $175 (notifications module RFE)
• Hanno Boeck - $100 (security issue)
• Alex Ustinov - $500 (security issue)
• John Hisdock - $250 (security issue)
• Kriss Andsten - $400 (security issue: permission bypass)
• George Argyros
• Aggelos Kiayias
• Chalk - $1000 (collection of security issues)
• Mateusz Goik - $1000 (collection of security issues)
• James 'albino' Kettle - $1000 (collection of security issues)
• Emanuel Bronshtein - $1000 (collection of security issues)
• Sergey Markov - $1000 (collection of security issues)
• Dhiraj Ranka - $400 (security issue)
• Dhaval Chauhan / @ 17haval - $400 (security issue)
• ma.la - $400 (security issue)

Thanks!

Several people have reported issues where Gallery administrators can include malicious content. We don't pay out bounties for these because we assume that Gallery Administrators have full control over their site and could add malicious content without using an un-sanitized input field in an administrator only view.

• Atulkumar Hariba Shedage and Ritesh Arunkumar Sarvaiya of Defencely
• Paweł Hałdrzyński

Several people have reported issues to us with our website which include Drupal, Mediawiki, and a few other things. We don't pay out bounties for these but appreciate responsible disclosure on these. Note: We are aware that our login forms are sent over HTTP and are ok with this. Additionally, any vulnerabilities reported that were found with an automated scanning tool must include a description and a proof-of-concept other than the one generated by the tool.

• Ashar Javed - XSS on galleryproject.org
• Shashank Kumar - File contents disclosure and XSS on codex.galleryproject.org
• Kamal - Server Platform Leak on codex.galleryproject.org
• Ajay Singh Negi - Account security issue on galleryproject.org
• Emanuel Bronshtein - Server Platform Leak on menalto.com (codex, home, gallery)
• Rafay Baloch - XSS on codex.galleryproject.org
• Kamil Sevi - XSS on menalto.com
• SimranJeet Singh - XSS on reviews.gallery2.org (now decommissioned)
• Harsha Vardhan Boppana - cipher strength issue on menalto.com SSL
• Thamatam Deepak - path disclosure on galleryproject.org test sites
• Jimmy_RST - File Inclusion issue on galleryproject.org
• Hip of Insight-Labs - XSS on menalto.com
• Andrew Edwards - various issues with menalto.com and codex.galleryproject.org
• Nihal Mistry - Full Path Disclosure on codex.galleryproject.org
• Vinesh Redkar - XSS on galleryproject.org
• Tejash Patel - CSRF on codex.galleryproject.org
• Nikhalesh Singh Bhadoria - XSS on menalto.com
• John Carroll - malicious URL inclusion on galleryproject.org
• Jay Turla - Apache Range Exploit on galleryproject.org
• Bo0oM / @ i_bo0om - Remote shell access to galleryproject.org
• Brij Kishore Mishra - Full Path Disclosure on galleryproject.org
• Missoum SAID / @missoum1307 - Full Path Disclosure on galleryproject.org
• Rodolfo Godalle, Jr. - Full Path Disclosure on gallery project.org
• Mennouchi Islam Azeddine - Content Injection on codex.galleryproject.org
• Ali Hasan Ghauri - Clickjacking on menalto.com
• Jerold Camacho - CRSF on menalto.com
• Dinesh Kumar P - Brute Force Login on galleryproject.org
• Jamie Niemasik / @jniemasik - Missing SPF record on galleryproject.org
• Nehal Hussain - phpinfo disclosure on galleryproject.org
• Allan Jay Tomol - SPF issue with galleryproject.org
• Wassim Batta - file disclosure on galleryproject.org
• N B Sri harsha - SPF issues with galleryproject.org and menalto.com
• Marc Rivero López / @seifreed - SSL vulnerability on galleryproject.org
• Sarath Kumar - OpenSSL CCS Injection Vulnerability
• Faisal Ahmed - Path Disclosure on galleryproject.org
• Ismail Tasdelen - XSS vulnerability in galleryproject.org

NewPP limit report CPU time usage: 0.006 seconds Real time usage: 0.007 seconds Preprocessor visited node count: 7/1000000 Preprocessor generated node count: 12/1000000 Post‐expand include size: 0/2097152 bytes Template argument size: 0/2097152 bytes Highest expansion depth: 2/40 Expensive parser function count: 0/100 Saved in parser cache with key codex_gallery2_org:pcache:idhash:3605-0!!!!!!* and timestamp 20201116011627 and revision id 28024