CVE-2006-7103

Name of the Vulnerable Software and Affected Versions EZOnlineGallery versions 1.3 and earlier

Description The issue allows remote attackers to determine directory existence and read arbitrary image files due to multiple directory traversal vulnerabilities. This can be achieved by using a ".." in the album parameter in a show album action to "ezgallery.php", which produces different responses depending on existence, or by using a ".." in the album or image parameter to "image.php".

Recommendations For EZOnlineGallery versions 1.3 and earlier, update to version 1.3.2 Beta or later to resolve the issue. As a temporary workaround, consider restricting access to the "ezgallery.php" and "image.php" files to minimize the risk of exploitation. Avoid using the album and image parameters in the affected API endpoints until the issue is resolved.