Synnergy Laboratories Advisory SLA-2000-15 NAME PHPix 1.0.X directory traversal vulnerability AFFECTED Linux/UNIX with PHPix 1.0.0/1.0.1/1.0.2 SYNOPSIS Synnergy Labs has found a flaw within PHPix that allows a user to successfully traverse the filesystem on a remote host, allowing arbitary files/folders to be read. DESCRIPTION PHPix is a Web-based photo album viewer written in PHP. It features automatic generation of thumbnails and different resolution files for viewing on the fly. PHPix Photo Album is available from http://phpix.org Synnergy has recently discovered a flaw within PHPix that allow a remote user to traverse a directory as a request to the script using the $mode=album&album=_some_dir_variable. It is then possible to read any file or folder's contents with priviledges as the httpd. Example: http://target.com/Album/?mode=album&album=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc&dispsize=640&start=0 The above line if given will output all the directories that are nested within /etc directory. Other more sinister content can be revealed from there. SOLUTION The vendors have been informed of the bug. It is advised to wait for the next patched version of PHPix to be reelased. AUTHOR Discovery: pestilence @ synnergy.net DISCLAIMER Synnergy Laboratories may not be held liable for the use or potential effects of these programs or advisories, nor the content contained within. Use them at your own risk. COPYRIGHT Synnergy Laboratories - www.synnergy.net (c) 1998-2000