Home page logo

bugtraq logo Bugtraq mailing list archives

Multiple bugs in TFT-Gallery
From: nj () hackerz ir
Date: 4 Dec 2006 09:57:04 -0000

Script Name: TFT-Gallery
Authors: Mike Scalora, Eric Thelin, Sascha Lorenz & Jan Berndt
Website: http://tftgallery.sourceforge.net
Bug Report: NetJackal (nj[AT]hackerz[DOT]ir & nima_501[AT]yahoo[DOT]com)
Status: Patch not released

First i should apologize for my bad english.

        TFT-Gallery is a PHP-based Web image gallery & does n't require databse.
Bugs Description:
First bug)
        Look at admin`s index page(/admin/index.php)

        if(file_exists("passwd")) {
                        $fd = fopen("passwd", "r");
                        $givenpw = fgets($fd,15);
                        if(isset($_REQUEST['password']) and
                                isset($_REQUEST['username']) and
                                        $_REQUEST['username']=='admin' and
                                                crypt($_REQUEST['password'], "tftgallery") == $givenpw) {
                        } else {
                                include_once "login_form.inc";

        TFT-Gallery stores admin's password in "passwd" file at admin folder, so everyone has access
to it by going to:
TIP: Password hashed by DES algorithm.
TIP: Username is "admin".
Second Bug)
        TFT-Gallery doesn't check file extension so if somebody who has gain access by First bug can 
upload any file extension (ex. evil.php).

        Edit code and store passwd some where else (out of wwwroot).

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]