CVE-2004-1408

Vulnerability

The addImage method in admin.class.php of singapore Image Gallery Web Application version 0.9.10 does not properly validate uploaded filenames. This allows an authenticated user to upload files with arbitrary extensions, including PHP scripts, instead of only image files [1]. The vulnerability exists because the code fails to check whether the uploaded file is actually an image, relying solely on the filename extension.

Exploitation

An attacker must have a valid login to the administrative interface of the gallery. Once logged in, the attacker can use the addImage function to upload a malicious PHP file (e.g., shell.php) instead of an image. No additional privileges or special conditions are required beyond authentication [1].

Impact

Successful exploitation allows the attacker to upload and execute arbitrary PHP code on the web server. This can lead to full compromise of the web application and potentially the underlying server, depending on file permissions and server configuration. The attacker gains the privileges of the web server process [1].

Mitigation

No official fix is documented in the available references [1]. Users should upgrade to a patched version if one becomes available, or restrict access to the administrative interface to trusted users only. As a workaround, implement additional file type validation on the server side (e.g., checking MIME type or using getimagesize()).