Multiple bugs in TFT-Gallery

2006-12-0500:00:00

vulners.com

Script Name: TFT-Gallery
Authors: Mike Scalora, Eric Thelin, Sascha Lorenz & Jan Berndt
Website: http://tftgallery.sourceforge.net
Bug Report: NetJackal (nj[AT]hackerz[DOT]ir & nima_501[AT]yahoo[DOT]com)
Status: Patch not released

First i should apologize for my bad english.

Intro:
TFT-Gallery is a PHP-based Web image gallery & does n't require databse.

Bugs Description:
First bug)
Look at admin`s index page(/admin/index.php)

    if&#40;file_exists&#40;&quot;passwd&quot;&#41;&#41; {
                    $fd = fopen&#40;&quot;passwd&quot;, &quot;r&quot;&#41;;
                    $givenpw = fgets&#40;$fd,15&#41;;
                    fclose&#40;$fd&#41;;
                    if&#40;isset&#40;$_REQUEST[&#39;password&#39;]&#41; and
                            isset&#40;$_REQUEST[&#39;username&#39;]&#41; and
                                    $_REQUEST[&#39;username&#39;]==&#39;admin&#39; and
                                            crypt&#40;$_REQUEST[&#39;password&#39;], &quot;tftgallery&quot;&#41; ==

$givenpw) {
$_SESSION['admin']=true;
} else {
include_once "login_form.inc";
exit;
}
}

    TFT-Gallery stores admin&#39;s password in &quot;passwd&quot; file at admin folder, so everyone has access

to it by going to:

http://victim/admin/passwd
TIP: Password hashed by DES algorithm.
TIP: Username is "admin".
Second Bug)
TFT-Gallery doesn't check file extension so if somebody who has gain access by First bug can
upload any file extension (ex. evil.php).

Solution:
Edit code and store passwd some where else (out of wwwroot).

JSON