<<< Date Index >>>     <<< Thread Index >>>

Multiple bugs in TFT-Gallery

Script Name: TFT-Gallery
Authors: Mike Scalora, Eric Thelin, Sascha Lorenz & Jan Berndt
Website: http://tftgallery.sourceforge.net
Bug Report: NetJackal (nj[AT]hackerz[DOT]ir & nima_501[AT]yahoo[DOT]com)
Status: Patch not released

First i should apologize for my bad english.

Intro:
        TFT-Gallery is a PHP-based Web image gallery & does n't require databse.
        
Bugs Description:
First bug)
        Look at admin`s index page(/admin/index.php)

        if(file_exists("passwd")) {
                        $fd = fopen("passwd", "r");
                        $givenpw = fgets($fd,15);
                        fclose($fd);
                        if(isset($_REQUEST['password']) and
                                isset($_REQUEST['username']) and
                                        $_REQUEST['username']=='admin' and
                                                crypt($_REQUEST['password'], 
"tftgallery") == $givenpw) {
                                $_SESSION['admin']=true;
                        } else {
                                include_once "login_form.inc";
                                exit;
                        }
                }

        TFT-Gallery stores admin's password in "passwd" file at admin folder, 
so everyone has access
to it by going to:
                                                                                
        http://victim/admin/passwd
TIP: Password hashed by DES algorithm.
TIP: Username is "admin".
Second Bug)
        TFT-Gallery doesn't check file extension so if somebody who has gain 
access by First bug can 
upload any file extension (ex. evil.php).

Solution:
        Edit code and store passwd some where else (out of wwwroot).