Bugtraq mailing list archives
Re: [KAPDA]CopperminePhotoGallery1.4.4~ PluginInclusionSystem(index.php)~ RemoteFileInclusion attack
From: Dariusz Kolasinski <ofi () evil net pl>
Date: Sun, 16 Apr 2006 11:40:13 +0200
Dnia sobota, 15 kwietnia 2006 07:26, addmimistrator () gmail com napisał:
ORIGINAL ADVISORY: http://myimei.com/security/2006-04-14/copperminephotogallery144-plugininclu sionsystemindexphp-remotefileinclusion-attack.html -Summary- Software: CPG Coppermine Photo Gallery Sowtwares Web Site: http://coppermine.sourceforge.net/ Versions: 1.4.4.stable Class: Remote Status: Unpatched Exploit: Available Solution: Available Discovered by: imei addmimistrator Risk Level: High SEE ORIGINAL ADV FOR MORE INFO!
Quick fix: change following lines in index.php: [SNIP] $file = str_replace('//','',str_replace('..','',$_GET['file'])); [/SNIP] to: [SNIP] $file = str_replace('..','',$_GET['file']); [/SNIP] -- Pozdrawiam, Dariusz Kolasinski <Linux Administrator>
Current thread:
- [KAPDA]CopperminePhotoGallery1.4.4~ PluginInclusionSystem(index.php)~ RemoteFileInclusion attack addmimistrator (Apr 15)
- Re: [KAPDA]CopperminePhotoGallery1.4.4~ PluginInclusionSystem(index.php)~ RemoteFileInclusion attack Dariusz Kolasinski (Apr 17)