Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [KAPDA]CopperminePhotoGallery1.4.4~ PluginInclusionSystem(index.php)~ RemoteFileInclusion attack

From: Dariusz Kolasinski <ofi () evil net pl>
Date: Sun, 16 Apr 2006 11:40:13 +0200
Dnia sobota, 15 kwietnia 2006 07:26, addmimistrator () gmail com napisał:

ORIGINAL ADVISORY:
http://myimei.com/security/2006-04-14/copperminephotogallery144-plugininclu
sionsystemindexphp-remotefileinclusion-attack.html ——————-Summary—————-
Software: CPG Coppermine Photo Gallery
Sowtware’s Web Site: http://coppermine.sourceforge.net/
Versions: 1.4.4.stable
Class: Remote
Status: Unpatched
Exploit: Available
Solution: Available
Discovered by: imei addmimistrator
Risk Level: High

SEE ORIGINAL ADV FOR MORE INFO!


Quick fix:
change following lines in index.php:

[SNIP]
$file = str_replace('//','',str_replace('..','',$_GET['file']));
[/SNIP]

to:

[SNIP]
$file = str_replace('..','',$_GET['file']);
[/SNIP]


-- 
Pozdrawiam,
Dariusz Kolasinski
<Linux Administrator>
Previous By Date Next
Previous By Thread Next

Current thread: