quote:Originally posted by Mike Bobbitt: An advisory detailing the problem will hit BugTraq on April 27th. (Thanks to AresU for finding this and for responsible disclosure!)It must have went out on BugTraq early because I just got it:
quote: [qb]AresU Advisory 04/27/2003
Album.pl Vulnerability
Severity : High (CGI Remote Command Execution) Systems Affected: Album.pl up to v6.1 Vendor URL: http://perl.bobbitt.ca/album Vuln Type : CGI Remote Command Execution Status : Vendor contacted, new fixed version available Author : AresU Greetz to : Mike B., Bosen, Tioeuy, syzwz, Heltz, eF73, SakitJiwa, nimdA, Br0374l, FreshFirst, Algorithm All 1ndonesian Security Team (1st) http://www.bosen.net/releases/http://bosen.blogspot.com
Summary ======= album.pl is a popular web photo album application that allows you to simply drop new photo files into a directory, and they will automatically be accessible via the web. Any user can execute commands with Web Server privileges (normally nobody) when use an alternate configuration file.
Donate to UBBDev today to help aid in Operational, Server and Script Maintenance, and Development costs.
Please also see our parent organization VNC Web Services if you're in the need of a new UBB.threads Install or Upgrade, Site/Server Migrations, or Security and Coding Services.