PHPix advisory

[pestilence <pestilence () SYNNERGY NET>]

Please find attacged PHPix advisory.

        Synnergy Laboratories Advisory SLA-2000-15

NAME

       PHPix 1.0.X directory traversal vulnerability

AFFECTED

        Linux/UNIX with PHPix 1.0.0/1.0.1/1.0.2

SYNOPSIS

 Synnergy Labs has found a flaw within PHPix that allows a user to successfully
 traverse the filesystem on a remote host, allowing arbitary files/folders to be
 read.


DESCRIPTION

 PHPix is a Web-based photo album viewer written in PHP. It features automatic
 generation of thumbnails and different resolution files for viewing on the fly.
 PHPix Photo Album is available from http://phpix.org

 Synnergy has recently discovered a flaw within PHPix that allow a remote user to
 traverse a directory as a request to the script using the
 $mode=album&album=_some_dir_variable. It is then possible to read any file
 or folder's contents with priviledges as the httpd.

 Example:

 http://target.com/Album/?mode=album&album=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc&dispsize=640&start=0

 The above line if given will output all the directories that are nested within /etc
 directory. Other more sinister content can be revealed from there.


SOLUTION

  The vendors have been informed of the bug. It is advised to wait for the next patched
  version of PHPix to be reelased.


AUTHOR

        Discovery: pestilence @ synnergy.net


DISCLAIMER

        Synnergy Laboratories may not be held liable for the use or potential
        effects of these programs or advisories, nor the content contained
        within. Use them at your own risk.

COPYRIGHT

        Synnergy Laboratories -  www.synnergy.net (c) 1998-2000