BugTraq
Back to list
|
Post reply
[KAPDA]CopperminePhotoGallery1.4.4~ PluginInclusionSystem(index.php)~ RemoteFileInclusion attack
Apr 15 2006 05:26AM
addmimistrator gmail com
(1 replies)
Re: [KAPDA]CopperminePhotoGallery1.4.4~ PluginInclusionSystem(index.php)~ RemoteFileInclusion attack
Apr 16 2006 09:40AM
Dariusz Kolasinski (ofi evil net pl)
Dnia sobota, 15 kwietnia 2006 07:26, addmimistrator (at) gmail (dot) com [email concealed] napisaÅ?:
> ORIGINAL ADVISORY:
> http://myimei.com/security/2006-04-14/copperminephotogallery144-pluginin
clu
>sionsystemindexphp-remotefileinclusion-attack.html Â?Â?Â?Â?Â?Â?-SummaryÂ?Â?Â?Â?Â?-
> Software: CPG Coppermine Photo Gallery
> SowtwareÂ?s Web Site: http://coppermine.sourceforge.net/
> Versions: 1.4.4.stable
> Class: Remote
> Status: Unpatched
> Exploit: Available
> Solution: Available
> Discovered by: imei addmimistrator
> Risk Level: High
>
> SEE ORIGINAL ADV FOR MORE INFO!
Quick fix:
change following lines in index.php:
[SNIP]
$file = str_replace('//','',str_replace('..','',$_GET['file']));
[/SNIP]
to:
[SNIP]
$file = str_replace('..','',$_GET['file']);
[/SNIP]
--
Pozdrawiam,
Dariusz Kolasinski
<Linux Administrator>
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
> ORIGINAL ADVISORY:
> http://myimei.com/security/2006-04-14/copperminephotogallery144-pluginin
clu
>sionsystemindexphp-remotefileinclusion-attack.html Â?Â?Â?Â?Â?Â?-SummaryÂ?Â?Â?Â?Â?-
> Software: CPG Coppermine Photo Gallery
> SowtwareÂ?s Web Site: http://coppermine.sourceforge.net/
> Versions: 1.4.4.stable
> Class: Remote
> Status: Unpatched
> Exploit: Available
> Solution: Available
> Discovered by: imei addmimistrator
> Risk Level: High
>
> SEE ORIGINAL ADV FOR MORE INFO!
Quick fix:
change following lines in index.php:
[SNIP]
$file = str_replace('//','',str_replace('..','',$_GET['file']));
[/SNIP]
to:
[SNIP]
$file = str_replace('..','',$_GET['file']);
[/SNIP]
--
Pozdrawiam,
Dariusz Kolasinski
<Linux Administrator>
[ reply ]