MHL-2006-003 - Public Advisory

+-----------------------------------------------------------+
|         ezOnlineGallery Multiple Security Issues          |
+-----------------------------------------------------------+


PUBLISHED ON
  October 26th, 2006


PUBLISHED AT
  http://www.mayhemiclabs.com/advisories/MHL-2006-003.txt
  http://www.mayhemiclabs.com/wiki/wikka.php?wakka=MHL2006003


PUBLISHED BY
  Mayhemic Labs
  http://www.mayhemiclabs.com

  security AT mayhemiclabs DOT com
  GPG key: 0x56143F84


APPLICATION
  ezOnlineGallery 
  http://www.ezonlinegallery.com/



AFFECTED VERSIONS
  Versions 1.3 and below


ISSUES
	ezOnlineGallery allows disclosure of certain data about
	the system it is installed on.
	
	1) By editing the album variable when the "show_album" 
	action is called on ezgallery.php, an attacker can verify 
	the existance of any directory on a system. The system 
	will attempt to display an album if the path is valid, 
	and will return	an error if the path is invalid.
	
	EXAMPLE:
	ezgallery.php?action=show_album&album=../../../../../etc/
	
	2) By editing both the album and image variables on image.php
	an attacker can view any JPG, BMP, or PNG that the apache
	process has read access to. 
	
	image.php?album=../../home/jrluser/girlfriendpics&image=nude.jpg

WORKAROUNDS
	None at this time

SOLUTIONS
	Upgrade to 1.3.2 Beta


REFERENCES
	ezOnlineGallery - http://www.ezonlinegallery.com/


TIMELINE
	October 26th, 2006
		Vendor/Developer Notified
	October 26th, 2006
		Vendor/Developer Fixes Issues!

				
ADDITIONAL CREDIT
  N/A

LICENSE
  Creative Commons Attribution-ShareAlike License
  http://creativecommons.org/licenses/by-sa/2.5