phpPhotoAlbum v0.99 and below for Windows and Unix allows remote users to read any file on the system with priviledges as the httpd. Fix available here.
1fd5dac557c53d92324e640ef142c13d6504f28411ca172131ea0b05a2852c6e
*************************************************
+ PhotoAlbum 0.9.9 explorer.php Vulnerability +
*************************************************
# Advisory by pestilence #
# www.synnergy.net #
|===============================================|
Affected program: PhotoAlbum v0.9.9 (previous ?)
System : Linux, UNIX, Windows
Problem : Problem located within the explorer.php script.
Discovery : pestilence@synnergy.net
Discussion
----------
phpPhotoAlbum is the next generation of dynamic photo albums, distributed under GPL.
This product is made by the 'Professional Web Application Development Group' and
can be downloaded from http://www.phpphotoalbum.com/
Specialised features of this PHP script include:
.Custom Photo Folder Messages
.Multi-level Photo Albums
.Graphic User Interface
.Supported Most Image Types
Vulnerability
-------------
Any user is able to traverse a directory as a request to the script using the $folder
variable. It is then possible to read any file/folder with priviledges as the httpd.
For instance:
http://www.phpphotoalbum.com/products/phpPhotoAlbum/explorer.php?folder=../../../../../../../etc/
.. will reveal all the files located in the specified directory.
Solution
--------
The vendors have been informed of the bug.
Wait for the next patched version of PhotAlbum to be released.
----------------------------------------
WEB: http://www.synnergy.net
----------------------------------------