|
Description
|
|
A security issue and multiple vulnerabilities have been discovered in PHP Album, which can be exploited by malicious people to disclose system information, conduct cross-site scripting and cross-site request forgery attacks, and compromise a vulnerable system.
1) Input passed to the "var3" and "p_new_group_name" parameters in main.php (when "cmd" is set to "setup") is not properly sanitised in setup.php before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
2) The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to e.g. change the administrator's password by tricking a logged in administrator into visiting a malicious web site.
3) Input passed via the "var3" parameter to main.php (when "cmd" is set to "setup") is not properly sanitised before being used in phpdatabase.php. This can be exploited to inject and execute arbitrary PHP code.
4) Input passed to the "var1" parameter in main.php (when "cmd" is set to "imageview") is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
5) The application does not restrict access to certain functionality within the main.php script (when "cmd" is set to "phpinfo") and can be exploited to disclose PHP configuration details.
The security issue and vulnerabilities are confirmed in version 0.4.1.16. Other versions may also be affected.
|
