Dnia sobota, 15 kwietnia 2006 07:26, addmimistrator@gmail.com napisa=C5=82:
> ORIGINAL ADVISORY:
> http://myimei.com/security/2006-04-1...144-plugininc=

lu
>sionsystemindexphp-remotefileinclusion-attack.html =C2=97=C2=97=C2=97=C2=

=97=C2=97=C2=97-Summary=C2=97=C2=97=C2=97=C2=97=C2=97-
> Software: CPG Coppermine Photo Gallery
> Sowtware=C2=92s Web Site: http://coppermine.sourceforge.net/
> Versions: 1.4.4.stable
> Class: Remote
> Status: Unpatched
> Exploit: Available
> Solution: Available
> Discovered by: imei addmimistrator
> Risk Level: High
>
> SEE ORIGINAL ADV FOR MORE INFO!


Quick fix:
change following lines in index.php:

[SNIP]
$file =3D str_replace('//','',str_replace('..','',$_GET['file']));
[/SNIP]

to:

[SNIP]
$file =3D str_replace('..','',$_GET['file']);
[/SNIP]


=2D-=20
Pozdrawiam,
Dariusz Kolasinski
<Linux Administrator>