Synnergy Laboratories Advisory SLA-2000-15 NAME PHPix 1.0.X directory traversal vulnerability AFFECTED Linux/UNIX with PHPix 1.0.0/1.0.1/1.0.2 SYNOPSIS Synnergy Labs has found a flaw within PHPix that allows a user to successfully traverse the filesystem on a remote host, allowing arbitary files/folders to be read. DESCRIPTION PHPix is a Web-based photo album viewer written in PHP. It features automatic generation of thumbnails and different resolution files for viewing on the fly. PHPix Photo Album is available from http://phpix.org Synnergy has recently discovered a flaw within PHPix that allow a remote user to traverse a directory as a request to the script using the $mode=album&album=_some_dir_variable. It is then possible to read any file or folder's contents with priviledges as the httpd. Example: http://target.com/Album/?mode=album&album=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc&dispsize=640&start=0 The above line if given will output all the directories that are nested within /etc directory. Other more sinister content can be revealed from there. Discovery: pestilence @ synnergy.net