DESCRIPTION: There is a vulnerability in phpimglist which allows a user to traverse through directories outside the web root. It only shows directories and image files although there might be a way around this. Exploit: http://www.site.com/images/?cwd=../../../../ -or- http://www.site.com/images/?cwd=/ UNOFFICIAL FIX: Around line 76, there is a block like: if (!$cwd) { $cwd = $SET...... else { $cwd = ..... } Replace this block with the following block: if (!$cwd) { $cwd = $SETTINGS["rootdir"]; } else { $cwd = ereg_replace("\.+","",$cwd); $cwd = ereg_replace("^/+","",$cwd); } This appears to fix the problem. VENDOR/AUTHOR STATUS: I contacted the author and got a VERY QUICK response. The email transcript is below: ---- Hm.. Thanks :) I\'ll get that fixed ASAP.. i thought I had put checking for ../ in , but never tested it :) if you have any ideas for the script,or find anything else, lemme know.. ;] replying to: You can traverse directories using the $cwd variable in phpimglist. Example is: http://phpimglist.site/?cwd=/ or http://phpimglist.site/?cwd=../../../../../ This allows you to navigate the filesystem and see any image on the filesystem, perhaps more.. I added something that I believe fixed it.. if (!$cwd) { $cwd = $SETTINGS[\"rootdir\"]; } else { $cwd = ereg_replace(\"\\.+\",\"\",$cwd); $cwd = ereg_replace(\"^/+\",\"\",$cwd); } You had something similar but it was not working for some reason. ---- Cheers, Jason DiCioccio geniusj@ods.org Open Domain Service http://www.ods.org/
