TUCoPS :: HP Unsorted T :: c07-1143.htm

TFT-Gallery multi vulns
Multiple bugs in TFT-Gallery
Multiple bugs in TFT-Gallery

Script Name: TFT-Gallery
Authors: Mike Scalora, Eric Thelin, Sascha Lorenz & Jan Berndt
Website: http://tftgallery.sourceforge.net 
Bug Report: NetJackal (nj[AT]hackerz[DOT]ir & nima_501[AT]yahoo[DOT]com)
Status: Patch not released

First i should apologize for my bad english.

	TFT-Gallery is a PHP-based Web image gallery & does n't require databse.
Bugs Description:
First bug)
	Look at admin`s index page(/admin/index.php)

	if(file_exists("passwd")) {
			$fd = fopen("passwd", "r");
			$givenpw = fgets($fd,15);
			if(isset($_REQUEST['password']) and
				isset($_REQUEST['username']) and
					$_REQUEST['username']=='admin' and
						crypt($_REQUEST['password'], "tftgallery") == $givenpw) {
			} else {
				include_once "login_form.inc";

	TFT-Gallery stores admin's password in "passwd" file at admin folder, so everyone has access
to it by going to:
TIP: Password hashed by DES algorithm.
TIP: Username is "admin".
Second Bug)
	TFT-Gallery doesn't check file extension so if somebody who has gain access by First bug can 
upload any file extension (ex. evil.php).

	Edit code and store passwd some where else (out of wwwroot).

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986- AOH