In addition, an official upgrade has been released: phpimglist 1.2.2 has been released and is available from: http://www.liquidpulse.net/s.lp?id=17 Cheers, -JD- Jason DiCioccio wrote: > DESCRIPTION: There is a vulnerability in phpimglist which allows a user > to traverse through directories outside the web root. It only shows > directories and image files although there might be a way around this. > > Exploit: http://www.site.com/images/?cwd=../../../../ > -or- > http://www.site.com/images/?cwd=/ > > UNOFFICIAL FIX: Around line 76, there is a block like: > > if (!$cwd) { $cwd = $SET...... else { > $cwd = ..... > } > > > Replace this block with the following block: > > if (!$cwd) { $cwd = $SETTINGS["rootdir"]; } else { > $cwd = ereg_replace("\.+","",$cwd); > $cwd = ereg_replace("^/+","",$cwd); > } > > This appears to fix the problem. > > > VENDOR/AUTHOR STATUS: I contacted the author and got a VERY QUICK > response. The email transcript is below: > > ---- > > Hm.. Thanks :) I\'ll get that fixed ASAP.. i thought I had put checking > for ../ in , but never tested it :) > > if you have any ideas for the script,or find anything else, lemme know.. > ;] > > replying to: > You can traverse directories using the $cwd variable in phpimglist. > Example is: > > http://phpimglist.site/?cwd=/ > or > http://phpimglist.site/?cwd=../../../../../ > > This allows you to navigate the filesystem and see any image on the > filesystem, perhaps more.. > > I added something that I believe fixed it.. > > if (!$cwd) { $cwd = $SETTINGS[\"rootdir\"]; } else { > $cwd = ereg_replace(\"\\.+\",\"\",$cwd); > $cwd = ereg_replace(\"^/+\",\"\",$cwd); > } > > You had something similar but it was not working for some reason. > > ---- > > Cheers, > Jason DiCioccio > geniusj@ods.org > > Open Domain Service > http://www.ods.org/ >
