-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

MHL-2006-003 - Public Advisory

+-----------------------------------------------------------+
|         ezOnlineGallery Multiple Security Issues          |
+-----------------------------------------------------------+

PUBLISHED ON
  October 26th, 2006

PUBLISHED AT
  http://www.mayhemiclabs.com/advisories/MHL-2006-003.txt
  http://www.mayhemiclabs.com/wiki/wikka.php?wakka=MHL2006003

PUBLISHED BY
  Mayhemic Labs
  http://www.mayhemiclabs.com

security AT mayhemiclabs DOT com
  GPG key: 0x56143F84

APPLICATION
  ezOnlineGallery
  http://www.ezonlinegallery.com/

AFFECTED VERSIONS
  Versions 1.3 and below

ISSUES
	ezOnlineGallery allows disclosure of certain data about
	the system it is installed on.
	
	1) Valid Path Disclosures
	By editing the album variable when the "show_album"
	action is called on ezgallery.php, an attacker can verify
	the existance of any directory on a system. The system
	will attempt to display an album if the path is valid,
	and will return	an error if the path is invalid.
	
	EXAMPLE:
	ezgallery.php?action=show_album&album=../../../../../etc/
	
	2) File Disclosure
	By editing both the album and image variables on image.php
	an attacker can view any JPG, BMP, or PNG that the apache
	process has read access to.
	
	image.php?album=../../home/jrluser/girlfriendpics&image=nude.jpg

WORKAROUNDS
	None at this time

SOLUTIONS
	Upgrade to 1.3.2 Beta

REFERENCES
	ezOnlineGallery - http://www.ezonlinegallery.com/

TIMELINE
	October 26th, 2006
		Vendor/Developer Notified
		Vendor/Developer Fixes Issues
		Public Release

ADDITIONAL CREDIT
  N/A

LICENSE
  Creative Commons Attribution-ShareAlike License
  http://creativecommons.org/licenses/by-sa/2.5
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFQWG1zjnMaVYUP4QRAmn5AKCggkwoeoEwskcExkJtNnwWC4UBkQCgjetQ
1bjFMzRtPuveUAU6a0+ZaWg=
=yUPA
-----END PGP SIGNATURE-----