Not as severe as the previous directory traversal (as it doesn't allow directly listing all files in a directory), but calling createthumb.php?filename=/path/to/private/directory/containing/KqSodJY.jpg&size=320 reveals the contents of the file if it's a supported image.

It also allows knowing whether a file exists or not on the server (returns cannotopen.jpg if the file exists, questionmark.jpg if it does not exist) and thus can be used to enumerate files/directories using bruteforce/dictionary.

createthumb.php should check if the target file is a children/contains the realpath of the pictures directory.

When you say createthumb.php?filename=/path/to/private/directory/containing/KqSodJY.jpg&size=320 You mean that we can use some .. in this url ? Se we can use createthumb to explore directories upper on the tree ?

I mean accessing absolute paths like /home/user/random/dir/1.jpg, even when MG is in /var/www/minigal. Did not test with .. in the path.

Se we can use createthumb to explore directories upper on the tree ?

Yes, at least enumerate existing/nonexisting files (probe common filenames of binaries in bin/, config files present in etc/, etc.)

If you agree can you add a security tag for this bug?

I filtered every request starting with a /, it should be fixed now. Can you confirm ?