#48 Any image on the webserver could be seen

closed-fixed
bzrudi
security (18)
6
2003-12-29
2003-12-29
Michael
No

You could access any image on the webserver, for example:

http://linpha.sourceforge.net/demo/linpha/get_thumbs_on_fly.php?prev_path=albums%2FBikes%2FKati&filename=../../../../../demo/linpha/graphics/index_logo_aqua.jpg&new_width=512&new_height=384

I think the script should check whether there is an
'../' in the filename and should stop or display an
error image if there is one.

Discussion

  • Michael
    Michael
    2003-12-29

    • summary: Any Image on the webserver could be read --> Any image on the webserver could be seen
     
  • bzrudi
    bzrudi
    2003-12-29

    Logged In: YES
    user_id=184593

    Greetings,

    the LinPHA crew has received your bug report. Your request is now
    assigned to a LinPHA developer for verification.

    Thanks for reporting!
    bzrudi71

     
  • bzrudi
    bzrudi
    2003-12-29

    • priority: 5 --> 6
    • assigned_to: nobody --> bzrudi
     
  • bzrudi
    bzrudi
    2003-12-29

    Logged In: YES
    user_id=184593

    Hi Michael,

    fixed in CVS!

    thanks for reporting!
    cheers bzrudi

     
  • bzrudi
    bzrudi
    2003-12-29

    • status: open --> closed-fixed