Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: [KAPDA]CopperminePhotoGallery1.4.4~ PluginInclusionSystem(index.php)~ RemoteFileInclusion attack
From: Dariusz Kolasinski <ofi () evil net pl>
Date: Sun, 16 Apr 2006 11:40:13 +0200

Dnia sobota, 15 kwietnia 2006 07:26, addmimistrator () gmail com napisał:
ORIGINAL ADVISORY:
http://myimei.com/security/2006-04-14/copperminephotogallery144-plugininclu
sionsystemindexphp-remotefileinclusion-attack.html ——————-Summary—————-
Software: CPG Coppermine Photo Gallery
Sowtware’s Web Site: http://coppermine.sourceforge.net/
Versions: 1.4.4.stable
Class: Remote
Status: Unpatched
Exploit: Available
Solution: Available
Discovered by: imei addmimistrator
Risk Level: High

SEE ORIGINAL ADV FOR MORE INFO!

Quick fix:
change following lines in index.php:

[SNIP]
$file = str_replace('//','',str_replace('..','',$_GET['file']));
[/SNIP]

to:

[SNIP]
$file = str_replace('..','',$_GET['file']);
[/SNIP]


-- 
Pozdrawiam,
Dariusz Kolasinski
<Linux Administrator>


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault