Security Vulnerabilities in the Imagin Photo Gallery

Following a friend’s request I’ve did a short security review of the Imagin photo gallery couple of weeks ago. I’ve looked at the newest version, v3 beta5, but the vulnerabilities may also apply to older versions. So here they are, from least to most important in my opinion.

The file scripts_ralcr/others/sendMail.php is old school example of vulnerable mailing scripts. It allows a remote attacker to control all the mail fields. It makes it easy to turn your server into a spam server.

The files scripts_ralcr/filesystem/readDirectory.php and scripts_ralcr/filesystem/readAndCreateThums.php take a path POST variable from the user and return a directory list of the directory path is pointing at. Of course it also comes with a directory-traversal so it would be easy to list whatever you want.

Finally, the file scripts_ralcr/filesystem/writeToFile.php simply allows you to provide via POST a path to a file (of course directory traversal is permitted) and content. The script will then write the content to the specified file. This allows a remote attacker to write arbitrary files on the server (which is especially useful after he dir listed everything to see what is available on the server).

I’ve followed the steps of responsible disclosure and contacted the author of these photo gallery before posting it. The author replied to me with:

i plan to solve them by the end of the year when i also plan to release a final version.
Till then, IMAGIN is not so popular for someone to exploit it.

I believe that saying that it isn’t popular enough for exploiting it is naive. Especially noting how obvious the vulnerabilities have been.

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.