Multiple vulnerabilities and a weakness have been discovered in InterPhoto Gallery, which can be exploited by malicious users to compromise a vulnerable system and by malicious people to disclose sensitive information.

1) Input passed via the "file" parameter to InterPhoto.thumbnail.php is not properly sanitised before being used. This can be exploited to read the content of arbitrary files by passing a specially crafted string, including directory traversal sequences.

Successful exploitation of this vulnerability allows disclosing e.g. the "WEBSITE_KEY" in "config/InterPhoto.config.php".

2) The mydesk.upload.php script does not properly validate uploaded files, which can be exploited to upload files with arbitrary extensions.

Successful exploitation of this vulnerability allows execution of arbitrary PHP code, but requires knowledge of the generated filename (e.g. via vulnerability #1 or enabled directory listings).

3) The application stores database backups insecurely, which can be exploited to brute-force the name of database backup files and download them.

Successful exploitation requires knowledge of the path to the "admin" directory, but can also be exploited without brute-forcing the filename if directory listings are enabled.

The vulnerabilities are confirmed in version 2.4.0 (downloaded 2010-07-12) on the Windows platform. Other versions may also be affected.

Solution
Update to an updated version 2.4.0 (2010-07-13), which fixes vulnerability #1, and disable directory listings.

Provided and/or discovered by
1) Secunia Research
2) Russ McRee, reported via Secunia
3) abysssec

Changelog
Further details available to Secunia VIM customers

Original Advisory
Secunia Research:
http://secunia.com/secunia_research/2010-94/

Russ McRee:
https://holisticinfosec.org/content/view/151/45/

Deep Links
Links available to Secunia VIM customers