CVE-2006-7103

Vulnerability

EZOnlineGallery versions 1.3 and earlier (and possibly other versions before 1.3.2 Beta) contain multiple directory traversal vulnerabilities. In ezgallery.php, the album parameter in the show_album action does not sanitize .. sequences, allowing an attacker to determine the existence of arbitrary directories. Additionally, in image.php, both the album and image parameters can be manipulated to read arbitrary image files (JPG, BMP, PNG) from the server's file system. [1]

Exploitation

An attacker can exploit these vulnerabilities by sending crafted HTTP requests. For directory enumeration, a request to ezgallery.php?action=show_album&album=../../../../../etc/ will return a different response if the directory exists. For file reading, a request to image.php?album=../../home/user/images&image=photo.jpg will display the file if it is a readable image. No authentication is required, and the attack can be performed remotely. [1]

Impact

Successful exploitation allows an attacker to confirm the existence of directories on the server, aiding in further attacks. More critically, the attacker can read any image file (JPG, BMP, PNG) that the web server process has read access to, potentially exposing sensitive information such as private photos or credentials stored in images. The confidentiality of the system is compromised, and partial integrity impact is possible if read files can be used in subsequent attacks. [1]

Mitigation

The vendor released version 1.3.2 Beta to address these issues. There is no known workaround. Users should upgrade to this version or later. The advisory was published on October 26, 2006. [1]