[24631] in bugtraq
Re: Directory traversal vulnerability in phpimglist
daemon@ATHENA.MIT.EDU (Jason DiCioccio)
Mon Mar 11 23:02:38 2002
Message-ID: <3C8CCD17.6020906@ods.org>
Date: Mon, 11 Mar 2002 07:28:23 -0800
From: Jason DiCioccio <geniusj@ods.org>
MIME-Version: 1.0
To: bugtraq <bugtraq@securityfocus.com>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
In addition, an official upgrade has been released:
phpimglist 1.2.2 has been released and is available from:
http://www.liquidpulse.net/s.lp?id=17
Cheers,
-JD-
Jason DiCioccio wrote:
> DESCRIPTION: There is a vulnerability in phpimglist which allows a user
> to traverse through directories outside the web root. It only shows
> directories and image files although there might be a way around this.
>
> Exploit: http://www.site.com/images/?cwd=../../../../
> -or-
> http://www.site.com/images/?cwd=/
>
> UNOFFICIAL FIX: Around line 76, there is a block like:
>
> if (!$cwd) { $cwd = $SET...... else {
> $cwd = .....
> }
>
>
> Replace this block with the following block:
>
> if (!$cwd) { $cwd = $SETTINGS["rootdir"]; } else {
> $cwd = ereg_replace("\.+","",$cwd);
> $cwd = ereg_replace("^/+","",$cwd);
> }
>
> This appears to fix the problem.
>
>
> VENDOR/AUTHOR STATUS: I contacted the author and got a VERY QUICK
> response. The email transcript is below:
>
> ----
>
> Hm.. Thanks :) I\'ll get that fixed ASAP.. i thought I had put checking
> for ../ in , but never tested it :)
>
> if you have any ideas for the script,or find anything else, lemme know..
> ;]
>
> replying to:
> You can traverse directories using the $cwd variable in phpimglist.
> Example is:
>
> http://phpimglist.site/?cwd=/
> or
> http://phpimglist.site/?cwd=../../../../../
>
> This allows you to navigate the filesystem and see any image on the
> filesystem, perhaps more..
>
> I added something that I believe fixed it..
>
> if (!$cwd) { $cwd = $SETTINGS[\"rootdir\"]; } else {
> $cwd = ereg_replace(\"\\.+\",\"\",$cwd);
> $cwd = ereg_replace(\"^/+\",\"\",$cwd);
> }
>
> You had something similar but it was not working for some reason.
>
> ----
>
> Cheers,
> Jason DiCioccio
> geniusj@ods.org
>
> Open Domain Service
> http://www.ods.org/
>
