e107 My_Gallery Plugin Arbitrary File Download Vulnerability

2008.04.09
Credit: Jerome Athias
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-22


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

e107 My_Gallery Plugin Arbitrary File Download Vulnerability Release Date: 2008-03-25 Critical: Moderately critical Impact: Exposure of system information, Exposure of sensitive information Where: From remote Solution Status: Unpatched Software: My_Gallery v2.3 (plugin for e107) and prior Link: http://plugins.e107.org/e107_plugins/psilo/psilo.php?artifact.208 Description: A photo gallery for e107, powered by Highslide JS script. with random gallery menu and navigation menu. + User interface for uploads images + Pre-moderation users download + Control Panel, can edit the name and description, delete and move + New comment system, it is now the most opulent gallery + New Front page + Added BBcode and a button Vulnerability: Jerome Athias has discovered a vulnerability in My_Gallery plugin for e107, which can be exploited by malicious people to disclose sensitive information. The vulnerability is caused due to an input validation error in dload.php when processing arguments passed to the "file" parameter. This can be exploited to download arbitrary files from the affected system. The vulnerability is confirmed in version 2.3. Other versions may also be affected. Solution: Edit the source code to ensure that input is properly validated. Dork: inurl:"e107_plugins/my_gallery" Provided and/or discovered by: Jerome Athias, JA-PSI http://www.ja-psi.fr Other References: https://www.securinfos.info


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top