[NEWS] Directory Traversal Vulnerability in Phpimglist
From: support@securiteam.comDate: 03/16/02
- Previous message: support@securiteam.com: "[NEWS] CaupoShop Cross Site Scripting Bug"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Sat, 16 Mar 2002 12:04:39 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Directory Traversal Vulnerability in Phpimglist
------------------------------------------------------------------------
SUMMARY
Phpimglist creates a gallery images from a certain directory.
This script is vulnerable to the trivial directory traversal attack which
enables users to view images in arbitrary directories on the disk.
DETAILS
Vulnerable systems:
phpimglist versions prior to 1.2.2
Immune systems:
phpimglist 1.2.2
There is a vulnerability in phpimglist which allows a user to traverse
through directories outside the web root. It only shows directories and
image files although there might be a way around this.
Exploit:
http://www.example.com/images/?cwd=../../../../
http://www.example.com/images/?cwd=/
Patch:
Around line 76, there is a block like:
if (!$cwd) { $cwd = $SET...... else {
$cwd = .....
}
Replace this block with the following block:
if (!$cwd) { $cwd = $SETTINGS["rootdir"]; } else {
$cwd = ereg_replace("\.+","",$cwd);
$cwd = ereg_replace("^/+","",$cwd);
}
This appears to fix the problem.
Solution:
The author has quickly released a new version that addresses this problem.
See:
<http://www.liquidpulse.net/s.lp?id=17>
http://www.liquidpulse.net/s.lp?id=17
ADDITIONAL INFORMATION
The information has been provided by <mailto:geniusj@ods.org> Jason
DiCioccio.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NEWS] CaupoShop Cross Site Scripting Bug"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
