Synnergy Laboratories Advisory SLA-2000-14

NAME

       PHPphotoalbum v0.9.9 filesystem traversal vulnerability


AFFECTED
 
  Windows
  Linux
  UNIX


SYNOPSIS

  Synnergy Labs has discovered a bug in PHPphotoalbum that allows a remote user
  to traverse through the filesystem of a server running this script using
  a malformed request of the ?folder environment variable in explorer.php.


DESCRIPTION

  phpPhotoAlbum is the next generation of dynamic photo albums, distributed under GPL.
  This product is made by the 'Professional Web Application Development Group' and 
  can be downloaded from http://www.phpphotoalbum.com/

  Specialised features of this PHP script include:

        .Custom Photo Folder Messages 
        .Multi-level Photo Albums 
        .Graphic User Interface 
        .Supported Most Image Types  

  Any user is able to traverse a directory as a request to the script using the $folder
  variable. It is then possible to read any file/folder with priviledges as the httpd.

  For instance:
  http://www.phpphotoalbum.com/products/phpPhotoAlbum/explorer.php?folder=../../../../../../../etc/

  .. will reveal all the files located in the specified directory.


SOLUTION

  The vendors have been informed of the bug.

  Wait for the next patched version of PhotoAlbum to be released.
 

AUTHOR

  pestilence @ synnergy.net


DISCLAIMER

  Synnergy Laboratories may not be held liable for the use or potential
  effects of these programs or advisories, nor the content contained
  within. Use them at your own risk.

COPYRIGHT

        Synnergy Laboratories -  www.synnergy.net (c) 1998-2000