[VIM] Wabbit directory traversal - uncertain impact; enomphp uncertainty

Steven M. Christey coley at mitre.org
Thu Nov 30 18:00:27 EST 2006 

Researcher: the_3dit0r
Ref: Wabbit PHP Gallery => 0.9 Remote Traversal Directory
     http://www.securityfocus.com/archive/1/archive/1/452170/100/100/threaded


Seems kinda weird to see a filename manipulation in a parameter named
"dir".  Source inspection of 0.9 shows the following.

NOTE: I'm not *sure*.


index.php:

			show_the_gallery($_GET["offset"],$images_on_page,$_GET["dir"],$popup,$case,$extra); // Gallery display function

script.php:

function show_the_gallery($offset,$images_per_page,$dir,$popup,$case,$extra){

	$thumbnail_dir = "./$dir/thumbs/";
	$image_dir = "./$dir/images/";

	if (file_exists($dir)){
	
		$readdir = opendir("$thumbnail_dir");

        ... [populate $gallery array with filenames from $readdir]

        ...

				if ($gallery[$i]){    
				
					$dimensions = getimagesize($image_dir.$gallery[$i]);
					$size = filesize($image_dir.$gallery[$i])/1024;
					$name = explode('.',$gallery[$i]); 
					
					if ($popup == "0"){
						$image_href = '<a href="'.$image_dir.$gallery[$i].'" title="Show '.$name[0].' in a new window" target="_blank">';
						}else{
							$image_href = '<a href="#" onclick="window.open(\'showpic.php?gal='.$_GET[dir].'&amp;pic='.$gallery[$i].'\', \'mywindow\', \'width='.$dimensions[0].', height='.$dimensions[1].', resizable=no, scrollbars=no, toolbar=no, location=no, directories=no, status=no, menubar=no\')" title="Show image in popup window">';


So, this looks like processing that's happening on directories, and at
best you might be able to list filenames and certain properties.  But
the_Edit0r's demonstration exploit doesn't make sense, since the
resulting pathnames would be "./../..[]/etc/passwd/thumbs/" and so on.
Again, though, I'm not sure on this.

Note - enomphp, also reported by the same researcher, also has a
filename in a "dir" parameter.  This product appears to be largely
discontinued, but a copy is at
http://ftp3.ie.freebsd.org/pub/sourceforge/e/en/enomphp/ .

Quick source inspection of the PHP4 and PHP3 versions of enomphp was
not able to find a "dir" parameter, although sometimes a $dir variable
was set to a static value, e.g. $dir = dir($dirplayer); in
rankml_inside.php, where $dirplayer is set to a static value in
config.php.

- Steve

More information about the VIM mailing list