Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Directory traversal vulnerability in phpimglist
From: Jason DiCioccio <geniusj () ods org>
Date: Mon, 11 Mar 2002 07:28:23 -0800

In addition, an official upgrade has been released:

phpimglist 1.2.2 has been released and is available from:
http://www.liquidpulse.net/s.lp?id=17

Cheers,
-JD-

Jason DiCioccio wrote:

DESCRIPTION:  There is a vulnerability in phpimglist which allows a user
to traverse through directories outside the web root.  It only shows
directories and image files although there might be a way around this.

Exploit: http://www.site.com/images/?cwd=../../../../
         -or-
         http://www.site.com/images/?cwd=/

UNOFFICIAL FIX:  Around line 76, there is a block like:

if (!$cwd) { $cwd = $SET...... else {
     $cwd = .....
}


Replace this block with the following block:

if (!$cwd) { $cwd = $SETTINGS["rootdir"]; } else {
        $cwd = ereg_replace("\.+","",$cwd);
        $cwd = ereg_replace("^/+","",$cwd);
}

This appears to fix the problem.


VENDOR/AUTHOR STATUS: I contacted the author and got a VERY QUICK
response.  The email transcript is below:

----

Hm.. Thanks  :) I\'ll get that fixed ASAP.. i thought I had put checking
for ../ in , but never tested it :)

if you have any ideas for the script,or find anything else, lemme know..
;]

replying to:
You can traverse directories using the $cwd variable in phpimglist.
Example is:

http://phpimglist.site/?cwd=/
or
http://phpimglist.site/?cwd=../../../../../

This allows you to navigate the filesystem and see any image on the
filesystem, perhaps more..

I added something that I believe fixed it..

if (!$cwd) { $cwd = $SETTINGS[\"rootdir\"]; } else {
        $cwd = ereg_replace(\"\\.+\",\"\",$cwd);
        $cwd = ereg_replace(\"^/+\",\"\",$cwd);
}

You had something similar but it was not working for some reason.

----

Cheers,
Jason DiCioccio
geniusj () ods org

Open Domain Service
http://www.ods.org/




  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]