YaPiG is "a simple but powerful web album very useful for publishing your image galleries". A vulnerability in the product allows remote attackers to insert PHP code into the comments they post, and at the same time control the extension of comment file being created.
The information has been provided by acidbits.
* YaPiG version 0.92b (Latest downloaded files appear to be immune to PHP inclusion as it removes all <?PHP tags)
YaPiG 0.92b add_coment PHP Insertion Proof of Concept
By aCiDBiTS email@example.com 07-August-2004
YaPiG (http://yapig.sourceforge.net/) is a PHP Image Gallery script.
This Proof of Concept creates a php file that echoes a notice.
First it determines a valid photo directory where to create the script.
Then creates a crafted comment saved in a new .php file. This comment
contains an encoded webshell. Once this .php file is opened, the code
contained creates test.php.
Usage (in my debian box):
php4 -q yapig_addc_poc.php "http://127.0.0.1/yapig-0.92b"
There is no user input sanization of some parameters in add_comment.php
and functions.php.This allows to create a file with any extension, and we can
insert any code in it. Version 0.92b is vulnerable, I haven't tested older ones.