Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

igallery33.txt

🗓️ 23 Jun 2005 00:00:00Reported by Seyed Hamid KashfiType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 23 Views

i-Gallery version 3.3 has directory traversal and CSS vulnerability allowing unauthorized file access.

Code
`Hat-Squad Advisory: i-Gallery directory traversal  
  
Product: i-Gallery  
Vendor Url: http://www.b-cp.com  
Version: 3.3 (older versions not tested , but assumed vulnerable)  
Vulnerability: Directory traversal and CSS bug  
Release Date:   
  
Vendor Status:  
Informed: 15 June 2005  
Second Contact: 19 June 2005  
Advisory Released: 20 June 2005  
  
Overview:  
  
i-Gallery is a complete online photo gallery. Easy to navigate   
thumbnails with paging.  
Enlarged views offer print & email buttons. Secured backend features:   
create/delete folders,  
upload/delete images, add descriptions, move images, and much more...  
  
########################################################################  
  
Problem 1:  
  
The i-Gallery uses no protection to avoid the directory traversal bug.  
The problem happens when the attacker uses the classic pattern "/../"   
that  
allows him to see and download any file in the remote system knowing the  
path.By use of preview feature of the i-Gallery it`s possible to get   
list  
of directory files ( not folders ) and attempt to download them .so not  
like most of directory traversal attacks , due to the nature of i-  
gallery  
you only need to be aware of correct directory path . file name will be  
handleded by i-gallery in a nice interface :>  
  
Attack is possible on almost all asp files to get files , but my favor   
browse interface is the "folderview.asp" file .  
  
Google Scanner :  
  
inurl:"/gallery/folderview.asp?folder="  
  
  
sample exploit :  
  
http://<host>/gallery/folderview.asp?  
folder=Sport+Champions/../../../../../../../../winnt/repair  
  
you`ll probebly go for "SAM" but I should notice you a little challenge   
while downloading files without  
extencions AND the permision staff ;)  
  
########################################################################  
  
Problem 2:  
  
i-Gallery lack of input validation for any user request . as a resault   
attacks  
like cross-site scripting become possible , and steal stored cookies of   
secured  
interface of i-Gallery become possible to name one example.   
  
  
Sample Exploit:  
  
http://<host>/gallery/folderview.asp?folder=<script>alert  
(document.cookie)</script>  
  
########################################################################  
  
  
Workaround :  
  
Apply vendor patch.  
( No responce from vendor up to now )  
  
Credits:  
  
  
This Vulnerability has been discovered by Seyed Hamid Kashfi(hamid@hat-  
squad.com)  
  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
23 Jun 2005 00:00Current
7.4High risk
Vulners AI Score7.4
i-gallery directory traversalfile system exposureinput validation failurecross-site scripting.
23