 | |
| |||||||
| Home | Register | Projects | Blogs | FAQ | Calendar | Search | Today's Posts | Mark Forums Read | Free Directory | Free DNSReport | Tags |
| Notices |
| Security discussions Discuss about the computer security in general |
i-Gallery directory traversalThis is a discussion on "i-Gallery directory traversal" within the Security discussions part of the Computer Security: Discussions section; Hat-Squad Advisory: i-Gallery directory traversal Product: i-Gallery Vendor Url: http://www.b-cp.com Version: 3.3 (older versions not tested , but assumed vulnerable) Vulnerability: Directory traversal and CSS bug Release Date: Vendor Status: Informed: 15 June ... |
 |
| | LinkBack | Thread Tools | Display Modes |
21-06-05
| ||||
| ||||
 i-Gallery directory traversal Hat-Squad Advisory: i-Gallery directory traversal Product: i-Gallery Vendor Url: http://www.b-cp.com Version: 3.3 (older versions not tested , but assumed vulnerable) Vulnerability: Directory traversal and CSS bug Release Date: Vendor Status: Informed: 15 June 2005 Second Contact: 19 June 2005 Advisory Released: 20 June 2005 Overview: i-Gallery is a complete online photo gallery. Easy to navigate thumbnails with paging. Enlarged views offer print & email buttons. Secured backend features: create/delete folders, upload/delete images, add descriptions, move images, and much more... ################################################## ###################### Problem 1: The i-Gallery uses no protection to avoid the directory traversal bug. The problem happens when the attacker uses the classic pattern "/../" that allows him to see and download any file in the remote system knowing the path.By use of preview feature of the i-Gallery it`s possible to get list of directory files ( not folders ) and attempt to download them .so not like most of directory traversal attacks , due to the nature of i- gallery you only need to be aware of correct directory path . file name will be handleded by i-gallery in a nice interface :> Attack is possible on almost all asp files to get files , but my favor browse interface is the "folderview.asp" file . Google Scanner : inurl:"/gallery/folderview.asp?folder=" sample exploit : http://<host>/gallery/folderview.asp? folder=Sport+Champions/../../../../../../../../winnt/repair you`ll probebly go for "SAM" but I should notice you a little challenge while downloading files without extencions AND the permision staff  ################################################## ###################### Problem 2: i-Gallery lack of input validation for any user request . as a resault attacks like cross-site scripting become possible , and steal stored cookies of secured interface of i-Gallery become possible to name one example. Sample Exploit: http://<host>/gallery/folderview. ... t>alert (document.cookie)</script> ################################################## ###################### Workaround : Apply vendor patch. ( No responce from vendor up to now ) Credits: This Vulnerability has been discovered by Seyed Hamid Kashfi(hamid@hat- squad.com)  |
| Sponsor | ||
| ||
| |
|
| | |
| directory, igallery, traversal | |
| Thread Tools | |
| Display Modes | |
Linear Mode
| |
Similar Threads | ||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Aconon Mail 2004 Remote Directory Traversal Vulnerability | Heap | Public | 0 | 24-01-08 05:17 |
| Web Wiz NewsPad 1.02 (sub) Remote Directory Traversal Vulnerability | Heap | Public | 0 | 23-01-08 17:13 |
| Web Wiz Forums 9.07 (sub) Remote Directory Traversal Vulnerability | Heap | Public | 0 | 23-01-08 17:13 |
| Frimousse 0.0.2 explorerdir.php Local Directory Traversal Vulnerability | Heap | Public | 0 | 21-01-08 05:11 |
| TikiWiki < 1.9.9 tiki-listmovies.php Directory Traversal Vulnerability | Heap | Public | 0 | 21-01-08 05:11 |
