Vulnerability

    PHPix

Affected

    PHPix 1.0.x

Description

    Following is based on Synnergy Laboratories Advisory  SLA-2000-15.
    Synnergy Labs has found a flaw within PHPix that allows a user  to
    successfully traverse  the filesystem  on a  remote host, allowing
    arbitary files/folders to be read.

    PHPix  is  a  Web-based  photo  album  viewer  written in PHP.  It
    features  automatic   generation  of   thumbnails  and   different
    resolution files  for viewing  on the  fly.   PHPix Photo Album is
    available from http://phpix.org

    Synnergy has recently discovered a flaw within PHPix that allow  a
    remote user  to traverse  a directory  as a  request to the script
    using  the  $mode=album&album=_some_dir_variable.    It  is   then
    possible to read any file or folder's contents with priviledges as
    the httpd.

    Example:

        http://target.com/Album/?mode=album&album=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc&dispsize=640&start=0

    The above line if given  will output all the directories  that are
    nested within /etc directory.  Other more sinister content can  be
    revealed from there.

Solution

    The vendors have been informed of the bug.  It is advised to  wait
    for the next patched version of PHPix to be reelased.