Security problem - Slash "attack"
Submitted by Sparviero on Fri, 2008-10-24 18:14.
Someone can "attack" your phpAlbum using a lame tech.
The PHP code don't remove the double slash in path (//, ///, etc) so an attacker can compromise the site using this request:
http://www.dominio.it/main.php?cmd=album&var1=//////////////
For each "//" the PHP add an entry in the album_directory.php file (and other stuff)
This attack can be used for all the album so the request:
http://www.dominio.it/main.php?cmd=album&var1=//foo/
and
http://www.dominio.it/main.php?cmd=album&var1=///foo/
will create a new entry AND 2 cache files for each image file.
To resolve this problem, i've edited main.php file and after the line
function generate_album($var1,$start_with){i've added this lines
while (preg_match("/\/\//", $var1)) $var1 = str_replace("//", "/", $var1);
if (preg_match("/^\//", $var1)) $var1 = substr($var1, 1);c-ya
Wau! Hey! Wau!, that is
Wau! Hey! Wau!, that is really bad bad , even worse than bad. Sh.t!
Ok, I will for sure release a bugfix today. But why it creates recrods in the DB? I was curious why I from time to time have some funny directories in my album
Patrik