SLA-15-PHPix.txt

` Synnergy Laboratories Advisory SLA-2000-15  
  
NAME  
  
PHPix 1.0.X directory traversal vulnerability  
  
AFFECTED  
  
Linux/UNIX with PHPix 1.0.0/1.0.1/1.0.2  
  
SYNOPSIS  
  
Synnergy Labs has found a flaw within PHPix that allows a user to successfully   
traverse the filesystem on a remote host, allowing arbitary files/folders to be   
read.  
  
  
DESCRIPTION   
  
PHPix is a Web-based photo album viewer written in PHP. It features automatic  
generation of thumbnails and different resolution files for viewing on the fly.  
PHPix Photo Album is available from http://phpix.org  
  
Synnergy has recently discovered a flaw within PHPix that allow a remote user to   
traverse a directory as a request to the script using the  
$mode=album&album=_some_dir_variable. It is then possible to read any file  
or folder's contents with priviledges as the httpd.  
  
Example:   
  
http://target.com/Album/?mode=album&album=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc&dispsize=640&start=0  
  
The above line if given will output all the directories that are nested within /etc   
directory. Other more sinister content can be revealed from there.  
  
  
SOLUTION  
  
The vendors have been informed of the bug. It is advised to wait for the next patched  
version of PHPix to be reelased.   
  
  
AUTHOR  
  
Discovery: pestilence @ synnergy.net  
  
  
DISCLAIMER  
  
Synnergy Laboratories may not be held liable for the use or potential  
effects of these programs or advisories, nor the content contained  
within. Use them at your own risk.  
  
COPYRIGHT  
  
Synnergy Laboratories - www.synnergy.net (c) 1998-2000   
`