mojeda
commented
10 years ago Fixed, by stripping forward slashes from $gallery.
Simply add: $gallery = str_replace(chr(47), '', $gallery); after $gallery = $_GET['gallery'];
Closed cloudrck closed 10 years ago
mojeda
commented
10 years ago Fixed, by stripping forward slashes from $gallery.
Simply add: $gallery = str_replace(chr(47), '', $gallery); after $gallery = $_GET['gallery'];
The software does not seem to care where you look for an image file. Simple GET manipulation can allow anyone to look for image files on the server.
Example: Two users or vhosts /home/user1 _(QuickGallery at /home/user1/publichtml/site/QuickGallery/index.php) /home/user2 (Image at /home/user2/test/img.jpg)
http://example.com/site/QuickGallery/index.php?gallery=../../../../user2/img.jpg