-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 MHL-2006-003 - Public Advisory +-----------------------------------------------------------+ | ezOnlineGallery Multiple Security Issues | +-----------------------------------------------------------+ PUBLISHED ON October 26th, 2006 PUBLISHED AT http://www.mayhemiclabs.com/advisories/MHL-2006-003.txt http://www.mayhemiclabs.com/wiki/wikka.php?wakka=MHL2006003 PUBLISHED BY Mayhemic Labs http://www.mayhemiclabs.com security AT mayhemiclabs DOT com GPG key: 0x56143F84 APPLICATION ezOnlineGallery http://www.ezonlinegallery.com/ AFFECTED VERSIONS Versions 1.3 and below ISSUES ezOnlineGallery allows disclosure of certain data about the system it is installed on. 1) Valid Path Disclosures By editing the album variable when the "show_album" action is called on ezgallery.php, an attacker can verify the existance of any directory on a system. The system will attempt to display an album if the path is valid, and will return an error if the path is invalid. EXAMPLE: ezgallery.php?action=show_album&album=../../../../../etc/ 2) File Disclosure By editing both the album and image variables on image.php an attacker can view any JPG, BMP, or PNG that the apache process has read access to. image.php?album=../../home/jrluser/girlfriendpics&image=nude.jpg WORKAROUNDS None at this time SOLUTIONS Upgrade to 1.3.2 Beta REFERENCES ezOnlineGallery - http://www.ezonlinegallery.com/ TIMELINE October 26th, 2006 Vendor/Developer Notified Vendor/Developer Fixes Issues Public Release ADDITIONAL CREDIT N/A LICENSE Creative Commons Attribution-ShareAlike License http://creativecommons.org/licenses/by-sa/2.5 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFQWG1zjnMaVYUP4QRAmn5AKCggkwoeoEwskcExkJtNnwWC4UBkQCgjetQ 1bjFMzRtPuveUAU6a0+ZaWg= =yUPA -----END PGP SIGNATURE-----