Blue Collar Productions iGallery 4.1 Plus File Download

2009-06-04T00:00:00
ID PACKETSTORM:78070
Type packetstorm
Reporter Stefano Angaran
Modified 2009-06-04T00:00:00

Description

                                        
                                            `Vendor Notified: 05/25/2009  
  
Vulnerability Details:  
-------------------------------------------  
Blue Collar Productions iGallery 4.1 Plus (   
http://www.b-cp.com/igallery/default.asp ) is a commercial photo gallery   
script written in Classic ASP. There exists also a free version  
named iGallery 3.4. The file streamfile.asp suffers from an Arbitrary   
File Download vulnerability due to the missed input validation on the   
"i" and "f" parameters, in particular  
no validation is done on path traversal patterns.  
  
Systems Affected:  
-------------------------------------------  
iGallery 4.1 Plus and iGallery 3.4 were tested and shown to be vulnerable.  
  
Impact:  
-------------------------------------------  
Through this vulnerability remote and unauthenticated users could   
download any file  
accessible by the web server and by reading source files a malicious   
user could read  
important information such as database passwords.  
  
Mitigation Factors:  
-------------------------------------------  
New IIS installations are often configured to deny requests with ../ in   
the query string. Unfortunately  
the injection can come also from POST parameters.  
  
PoC:  
-------------------------------------------  
http://www.example.com/igallery41/streamfile.asp?i=./../../../index.asp&f=subdir  
  
  
Vendor Response:  
-------------------------------------------  
  
None as of 06/03/2009  
  
---  
  
Stefano Angaran  
http://www.upyou.it  
http://blog.upyou.it  
  
`