[24629] in bugtraq
Directory traversal vulnerability in phpimglist
daemon@ATHENA.MIT.EDU (Jason DiCioccio)
Mon Mar 11 22:51:36 2002
Message-ID: <3C8C46B5.1050405@ods.org>
Date: Sun, 10 Mar 2002 21:55:01 -0800
From: Jason DiCioccio <geniusj@ods.org>
MIME-Version: 1.0
To: bugtraq@securityfocus.com
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
DESCRIPTION: There is a vulnerability in phpimglist which allows a user
to traverse through directories outside the web root. It only shows
directories and image files although there might be a way around this.
Exploit: http://www.site.com/images/?cwd=../../../../
-or-
http://www.site.com/images/?cwd=/
UNOFFICIAL FIX: Around line 76, there is a block like:
if (!$cwd) { $cwd = $SET...... else {
$cwd = .....
}
Replace this block with the following block:
if (!$cwd) { $cwd = $SETTINGS["rootdir"]; } else {
$cwd = ereg_replace("\.+","",$cwd);
$cwd = ereg_replace("^/+","",$cwd);
}
This appears to fix the problem.
VENDOR/AUTHOR STATUS: I contacted the author and got a VERY QUICK
response. The email transcript is below:
----
Hm.. Thanks :) I\'ll get that fixed ASAP.. i thought I had put checking
for ../ in , but never tested it :)
if you have any ideas for the script,or find anything else, lemme know..
;]
replying to:
You can traverse directories using the $cwd variable in phpimglist.
Example is:
http://phpimglist.site/?cwd=/
or
http://phpimglist.site/?cwd=../../../../../
This allows you to navigate the filesystem and see any image on the
filesystem, perhaps more..
I added something that I believe fixed it..
if (!$cwd) { $cwd = $SETTINGS[\"rootdir\"]; } else {
$cwd = ereg_replace(\"\\.+\",\"\",$cwd);
$cwd = ereg_replace(\"^/+\",\"\",$cwd);
}
You had something similar but it was not working for some reason.
----
Cheers,
Jason DiCioccio
geniusj@ods.org
Open Domain Service
http://www.ods.org/
