Home page logo
/

bugtraq logo Bugtraq mailing list archives

Directory Traversal Vulnerability in Goop Gallery 2.0.2
From: security () armorize com
Date: 11 Oct 2006 01:02:40 -0000

Armorize Technologies Security Advisory

Advisory No:
Armorize-ADV-2006-0004

Status:
Partial

Date:
2006/10/04

Bugtraq No.:
N/A

Summary:
Armorize-ADV-2006-0004 discloses a special case of directory traversal vulnerability found in Goop Gallery, which is is 
a directory based photo gallery and does not require database installation. All you have to do is upload your images 
with GOOP Gallery, set a hand full of configuration variables, and you've got a picture gallery. GOOP Gallery 
dynamically resizes images to sizes you specify. No need to spend hours making thumbnails or writing code for every 
picture, GOOP Gallery will do that for you. The configuration file allows you to adjust almost every aspect of your 
gallery. GOOP Gallery 2.0 allows you to set multiple ways for viewing your images and let's vistors set their own 
preference.

Affected Software:
Goop Gallery 2.0.2

Vulnerability Description:
Directory Traversal

Analysis/Impact:
Allows malicious users to access restricted directories and/or view data outside the normal scope which may lead to 
information theft and invasion of privacy.

Detection/Exploit(partial):
http://www.example.com/[PATH]/download.php

Protection/Solution:
1. Escape every questionable user input.
2. Add sanitization functions before passing parameters to sensitive functions.

Credit: Security Team at Armorize Technologies, Inc. (security () armorize com)


Additional Information:
Link to this Armorize advisory
http://www.armorize.com/advisory.php?Keyword=Armorize-ADV-2006-0004

Links to all Armorize advisories
http://www.armorize.com/advisory/

Links to Armorize vulnerability database
http://www.armorize.com/resources/vulnerability.php

Armorize Technologies is a software security company focused on Web application security. Our source code analysis 
tools provide Web application security that transcends firewalls, intrusion detection systems (IDSs), and all other 
signature-based security devices. Armorize's main product, CodeSecure, uses award-winning and patent-pending source 
code verification technology to identify vulnerabilities in Web applications during the earliest stage of the software 
development lifecycle.

Papers on source code analysis technology from our founding team have won awards at two consecutive International World 
Wide Web Conferences. The latest version of CodeSecure addresses current market gaps in Web security products by 
helping Web developers detect vulnerabilities and choose from rapidly generated solutions. The company is headquartered 
in Santa Clara, California with its R


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]