Bugtraq mailing list archives
Full Path Disclosure In Photolibrary 1.009
From: XiaShing () gmail com
Date: 11 Feb 2009 07:58:45 -0000
============================================================ !vuln Photolibrary 1.009 Previous versions may also be affected. ============================================================ ============================================================ !risk Low There are currently just a few websites circulating with Photolibrary enabled. ============================================================ ============================================================ !dork Dork: inurl:"/photos" photolibrary All images are the copyright of their respective authors. Link to this page ============================================================ ============================================================ !discussion Null user input in the following PHP file results in full path disclosure of the document root folder because of the include function: site.com/photolibrary.1.009/photolibrary/css/style.php?page= ============================================================ ============================================================ !solution Change line 48 so that the include statement stops null input: if($page == '') echo ("Get lost! Stop Trying to get full path disclosure!"); else { include($page.'.css'); } The vendor has not yet been notified. ============================================================ ============================================================ !greetz Greetz go out to the people who know me. ============================================================ ============================================================ !author Xia Shing Zee ============================================================
Current thread:
- Full Path Disclosure In Photolibrary 1.009 XiaShing (Feb 11)