"What gets us into trouble is not what we don't know. It's what we know for sure that just ain't so. - Mark Twain"
HIO-2010-0706 InterPhoto Gallery File Upload Vulnerability PDF Print E-mail

InterPhoto Gallery 2.4.0 interface exhibits vulnerabillities which can be exploited by malicious people to conduct arbitrary file uploads.

The arbitrary file upload vulnerability is caused due to the mydesk.upload.php script allowing the upload of files with arbitrary extensions to /interphoto/templates,  /interphoto/languages, and all image folders inside the webroot. Additionally users with upload permissions (default) can upload files with arbitrary extension via mydesk.images.php. This can be exploited to upload arbitrary files inside the webroot and e.g. execute arbitrary PHP code.

The vulnerability is confirmed in version 2.4.0 Other versions may also be affected.

 

References:

CVE-2010-pending

BID:

OSVDB: 67234

SA: 40471

XF: 

Related: 

Vendor Solution:


 
< Prev   Next >
[ Back ]