Multiple bugs in TFT-Gallery

2006.12.07
Credit: Mike Scalora, Eric Thelin, Sascha Lorenz & Jan Berndt
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2006-6347
CWE: CWE-Other


CVSS Base Score: 6.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

Script Name: TFT-Gallery Authors: Mike Scalora, Eric Thelin, Sascha Lorenz & Jan Berndt Website: http://tftgallery.sourceforge.net Bug Report: NetJackal (nj[AT]hackerz[DOT]ir & nima_501[AT]yahoo[DOT]com) Status: Patch not released First i should apologize for my bad english. Intro: TFT-Gallery is a PHP-based Web image gallery & does n't require databse. Bugs Description: First bug) Look at admin`s index page(/admin/index.php) if(file_exists("passwd")) { $fd = fopen("passwd", "r"); $givenpw = fgets($fd,15); fclose($fd); if(isset($_REQUEST['password']) and isset($_REQUEST['username']) and $_REQUEST['username']=='admin' and crypt($_REQUEST['password'], "tftgallery") == $givenpw) { $_SESSION['admin']=true; } else { include_once "login_form.inc"; exit; } } TFT-Gallery stores admin's password in "passwd" file at admin folder, so everyone has access to it by going to: http://victim/admin/passwd TIP: Password hashed by DES algorithm. TIP: Username is "admin". Second Bug) TFT-Gallery doesn't check file extension so if somebody who has gain access by First bug can upload any file extension (ex. evil.php). Solution: Edit code and store passwd some where else (out of wwwroot).


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top