lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 06 Aug 2009 12:23:15 -0400
From: Scott Miles <>
Subject: [CSS09-01] SlideShowPro Director File Disclosure Vulnerability

CSS09-01: SlideShowPro Director File Disclosure Vulnerability
August 5, 2009

SlideShowPro Director is vulnerable to a file disclosure flaw because it
fails to perform proper validation and handling of input parameters.
Attackers can exploit this vulnerability to read arbitrary files from
the hosting web server.

SlideShowPro Director version 1.1 through 1.3.8.

Rating:  High Risk
Impact:  Unauthorized access to system files
Where:   Remote

SlideShowPro Director is a complement to SlideShowPro, “a web-based
component designed to be integrated into any web site … for displaying
photos and videos.” Director is “a secure, easy to use application you
install on your own web server...for managing and updating your
slideshow content…” 

The vendor has released version 1.3.9 to address this issue. Refer to for upgrade

CVE number not yet assigned.
A copy of this bulletin is located at:

The “p.php” file contains logic that is vulnerable to directory
traversal attacks. The “a” parameter to this function includes a file
name parameter that can be changed to any value, including one
containing relative directory paths. The resulting file will be
retrieved and displayed.

The application incorporates scrambling/obfuscation techniques to mask
the vulnerable parameter that is supplied to the application. A
moderately skilled attacker can reverse the obfuscation without any
access to the affected server or source code.

Vulnerable installations can be identified by the XML data file
generated by SlideShowPro Director and used by the SlideShowPro
component and will have base64-encoded “a” parameters to the “p.php”

<?xml version="1.0" encoding="utf-8"?>
<!-- XML Generated by SlideShowPro Director v1.3.8 -->
<gallery title="masked" description="masked">
    <album id="album-17" title="masked" description=""
tn= tnPath=

The affected parameter is only accepted as a “GET” variable. The web
server should therefore log any exploitation attempts if basic logging
of the query string is enabled. Identifying actual exploitation is
hindered, since the attacking parameter is scrambled, but the logic to
reverse this data can be extracted the application code and settings if
necessary. Web server error logs may also contain suspicious PHP file
access warnings if a file requested by an attacker is not present.

A proof-of-concept tool to exploit this vulnerability that accommodates
the parameter scrambling for any site has been created but not
published. Note that even sites that have defined a custom “key” or
“salt” for the scrambling routines are vulnerable.

This issue exposes the confidentiality of any files residing on the same
drive as the component including configuration files with system access
credentials, the source code to application pages, and possibly customer
data files.

The issue can be exploited by anyone from the Internet. The ability to
identify/crack the scrambling key would require a moderately skilled
individual, although once the algorithm is published, exploiting the
issue is trivial. This vulnerability can be easily scripted and
automated, placing it within reach of any individual. An attacker must
know the name of desired files.

Scott Miles of Clear Skies Security identified this flaw.
Clear Skies would like to thank the vendor for their openness and
responsiveness in dealing with this issue.

2009-07-20: Vendor notified; confirmed vulnerability.
2009-07-22: Vendor provides patch.
2009-08-06: Public disclosure.

Scott Miles
Principal Consultant
Clear Skies Security

Download attachment "smime.p7s" of type "application/x-pkcs7-signature" (5594 bytes)

Powered by blists - more mailing lists