Synnergy Laboratories Advisory SLA-2000-15

NAME

       PHPix 1.0.X directory traversal vulnerability

AFFECTED

	Linux/UNIX with PHPix 1.0.0/1.0.1/1.0.2

SYNOPSIS

 Synnergy Labs has found a flaw within PHPix that allows a user to successfully
 traverse the filesystem on a remote host, allowing arbitary files/folders to be
 read.


DESCRIPTION

 PHPix is a Web-based photo album viewer written in PHP. It features automatic
 generation of thumbnails and different resolution files for viewing on the fly.
 PHPix Photo Album is available from http://phpix.org

 Synnergy has recently discovered a flaw within PHPix that allow a remote user to
 traverse a directory as a request to the script using the
 $mode=album&album=_some_dir_variable. It is then possible to read any file
 or folder's contents with priviledges as the httpd.

 Example:

 http://target.com/Album/?mode=album&album=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc&dispsize=640&start=0

 The above line if given will output all the directories that are nested within /etc
 directory. Other more sinister content can be revealed from there.

        Discovery: pestilence @ synnergy.net