 | |
| |||||||
| Security discussions Discuss about the computer security in general |
i-Gallery directory traversalThis is a discussion on "i-Gallery directory traversal" within the Security discussions part of the Computer Security: Discussions section; Hat-Squad Advisory: i-Gallery directory traversal Product: i-Gallery Vendor Url: http://www.b-cp.com Version: 3.3 (older versions not tested , but assumed vulnerable) Vulnerability: Directory traversal and CSS bug Release Date: Vendor Status: Informed: 15 June ... |
 |
| | LinkBack | Thread Tools | Display Modes |
21-06-05
| ||||
| ||||
 i-Gallery directory traversal Hat-Squad Advisory: i-Gallery directory traversal Product: i-Gallery Vendor Url: http://www.b-cp.com Version: 3.3 (older versions not tested , but assumed vulnerable) Vulnerability: Directory traversal and CSS bug Release Date: Vendor Status: Informed: 15 June 2005 Second Contact: 19 June 2005 Advisory Released: 20 June 2005 Overview: i-Gallery is a complete online photo gallery. Easy to navigate thumbnails with paging. Enlarged views offer print & email buttons. Secured backend features: create/delete folders, upload/delete images, add descriptions, move images, and much more... ################################################## ###################### Problem 1: The i-Gallery uses no protection to avoid the directory traversal bug. The problem happens when the attacker uses the classic pattern "/../" that allows him to see and download any file in the remote system knowing the path.By use of preview feature of the i-Gallery it`s possible to get list of directory files ( not folders ) and attempt to download them .so not like most of directory traversal attacks , due to the nature of i- gallery you only need to be aware of correct directory path . file name will be handleded by i-gallery in a nice interface :> Attack is possible on almost all asp files to get files , but my favor browse interface is the "folderview.asp" file . Google Scanner : inurl:"/gallery/folderview.asp?folder=" sample exploit : http://<host>/gallery/folderview.asp? folder=Sport+Champions/../../../../../../../../winnt/repair you`ll probebly go for "SAM" but I should notice you a little challenge while downloading files without extencions AND the permision staff  ################################################## ###################### Problem 2: i-Gallery lack of input validation for any user request . as a resault attacks like cross-site scripting become possible , and steal stored cookies of secured interface of i-Gallery become possible to name one example. Sample Exploit: http://<host>/gallery/folderview. ... t>alert (document.cookie)</script> ################################################## ###################### Workaround : Apply vendor patch. ( No responce from vendor up to now ) Credits: This Vulnerability has been discovered by Seyed Hamid Kashfi(hamid@hat- squad.com)
__________________  |
| Sponsor | ||
| ||
| |
|
| | |
| directory, igallery, traversal | |
| Thread Tools | |
| Display Modes | |
Linear Mode
| |
Similar Threads | ||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Small HTTP Server 3.05.85 Directory Traversal Exploit | Heap | Public | 0 | 02-02-09 16:22 |
| Joomla Component Archaic Binary Gallery Directory Traversal Vuln | Heap | Public | 0 | 24-10-08 06:11 |
| BbZL.PhP 0.92 (lien_2) Local Directory Traversal Vulnerability | Heap | Public | 0 | 28-09-08 23:40 |
| Acronis PXE Server 2.0.0.1076 Directory Traversal / NULL Pointer Vulns | Heap | Public | 0 | 11-03-08 04:58 |
| Ruby 1.8.6 (Webrick Httpd 1.3.1) Directory Traversal Vulnerability | Heap | Public | 0 | 06-03-08 16:08 |
