Multiple bugs in TFT-Gallery

Type securityvulns
Reporter Securityvulns
Modified 2006-12-05T00:00:00


Script Name: TFT-Gallery Authors: Mike Scalora, Eric Thelin, Sascha Lorenz & Jan Berndt Website: Bug Report: NetJackal (nj[AT]hackerz[DOT]ir & nima_501[AT]yahoo[DOT]com) Status: Patch not released

First i should apologize for my bad english.

Intro: TFT-Gallery is a PHP-based Web image gallery & does n't require databse.

Bugs Description: First bug) Look at admin`s index page(/admin/index.php)

    if(file_exists("passwd")) {
                    $fd = fopen("passwd", "r");
                    $givenpw = fgets($fd,15);
                    if(isset($_REQUEST['password']) and
                            isset($_REQUEST['username']) and
                                    $_REQUEST['username']=='admin' and
                                            crypt($_REQUEST['password'], "tftgallery") ==

$givenpw) { $_SESSION['admin']=true; } else { include_once ""; exit; } }

    TFT-Gallery stores admin's password in "passwd" file at admin folder, so everyone has access

to it by going to:

http://victim/admin/passwd TIP: Password hashed by DES algorithm. TIP: Username is "admin". Second Bug) TFT-Gallery doesn't check file extension so if somebody who has gain access by First bug can upload any file extension (ex. evil.php).

Solution: Edit code and store passwd some where else (out of wwwroot).