Following a friend’s request, I did a short security review of the Imagin photo gallery a couple of weeks ago. I looked at the newest version, v3 beta5, but the vulnerabilities may also apply to older versions. So here they are, from least to most important in my opinion.
The file scripts_ralcr/others/sendMail.php is an old-school example of a vulnerable mailing script. It allows a remote attacker to control all the mail fields. It makes it easy to turn your server into a spam server.
The files scripts_ralcr/filesystem/readDirectory.php and scripts_ralcr/filesystem/readAndCreateThumbs.php take a path POST variable from the user and return a directory list of the directory path is pointing to. Of course, it also comes with a directory traversal vulnerability, so it would be easy to list whatever you want.
Finally, the file scripts_ralcr/filesystem/writeToFile.php simply allows you to provide, via POST, a path to a file (of course directory traversal is permitted) and content. The script will then write the content to the specified file. This allows a remote attacker to write arbitrary files on the server (which is especially useful after he has listed everything to see what is available on the server).
I’ve followed the steps of responsible disclosure and contacted the author of this photo gallery before posting it. The author replied to me with:
i plan to solve them by the end of the year when i also plan to release a final version.
Till then, IMAGIN is not so popular for someone to exploit it.
I believe that saying that it isn’t popular enough to be exploited is naive, especially given how obvious the vulnerabilities are.