Multiple bugs in TFT-Gallery Dec 04 2006 09:57AM
nj hackerz ir

Script Name: TFT-Gallery
Authors: Mike Scalora, Eric Thelin, Sascha Lorenz & Jan Berndt
Website: http://tftgallery.sourceforge.net
Bug Report: NetJackal (nj[AT]hackerz[DOT]ir & nima_501[AT]yahoo[DOT]com)
Status: Patch not released

First i should apologize for my bad english.

TFT-Gallery is a PHP-based Web image gallery & does n't require databse.

Bugs Description:
First bug)
Look at admin`s index page(/admin/index.php)

if(file_exists("passwd")) {
$fd = fopen("passwd", "r");
$givenpw = fgets($fd,15);
if(isset($_REQUEST['password']) and
isset($_REQUEST['username']) and
$_REQUEST['username']=='admin' and
crypt($_REQUEST['password'], "tftgallery") == $givenpw) {
} else {
include_once "login_form.inc";

TFT-Gallery stores admin's password in "passwd" file at admin folder, so everyone has access
to it by going to:
TIP: Password hashed by DES algorithm.
TIP: Username is "admin".
Second Bug)
TFT-Gallery doesn't check file extension so if somebody who has gain access by First bug can
upload any file extension (ex. evil.php).

Edit code and store passwd some where else (out of wwwroot).

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus