singapore Image Gallery Web Application Multiple Vulnerabilities
20 Dec. 2004
Summary
singapore is "yet another open source PHP based image gallery web application. What makes it different from the hundreds of other similar scripts is that it is specifically geared towards displaying art in an aesthetically pleasing fashion using a clean, uncluttered interface".
Multiple vulnerabilities were found in the singapore Image Gallery Web application including arbitrary file download, directory deletion and Cross-Site Scripting (XSS).
Vulnerable Systems:
* singapore Image Gallery Web Application version 0.9.10
Immune Systems:
* singapore Image Gallery Web Application version 0.9.11
1. Insufficient checks to prevent directory traversal in thumb.php showThumb() method allows arbitrary file download. This may be exploited to download the encrypted password file in /install_dir/data/users.csv.php.
2. Insufficient filename checks in admin.class.php addImage() function may allow arbitrary file upload. This may be exploited by a malicious logon user to upload arbitrary PHP scripts instead of image files.
3. Insufficient checks to prevent directory traversal in admin.class.php allow deletion of arbitrary directory that the scripts has delete access to. On a Windows platform, deletion of arbitrary directories that the web server has write access to is also possible.
Disclosure Timeline:
17 Nov 04 - Vulnerability Discovered.
17 Nov 04 - Initial Author Notification by Email.
17 Nov 04 - Initial Author Reply.
18 Nov 04 - Second Author Notification.
19 Nov 04 - Received patch from Author, but it does not work.
19 Nov 04 - Informed Author that patch does not work.
30 Nov 04 - Third Author Notification.
03 Dec 04 - Author provided fix.
15 Dec 04 - Author Released Version 0.9.11.
16 Dec 04 - Public Release.
