Lucene search

K
securityvulns
SecurityvulnsSECURITYVULNS:DOC:18983
HistoryJan 31, 2008 - 12:00 a.m.

[waraxe-2008-SA#066] - Multiple Vulnerabilities in Coppermine 1.4.14

2008-01-3100:00:00
vulners.com
59

[waraxe-2008-SA#066] - Multiple Vulnerabilities in Coppermine 1.4.14

Author: Janek Vind "waraxe"
Date: 31. January 2008
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-66.html

Target software description:


Coppermine Photo Gallery is a multi-purpose fully-featured and integrated web
picture gallery script written in PHP using GD or ImageMagick as image library
with a MySQL backend.

Coppermine Photo Gallery has been tested working well on IIS, Apache 1.3.24
onwards to the latest Apache 2, on Linux, UNIX, OSX, and Win32 systems.

Vulnerabilities discovered
===============================================================================

1. Reflected XSS in "docs/showdoc.php"

http://localhost/coppermine.1.4.14/docs/showdoc.php?
h=waraxe&t=<script>alert(123);</script>
http://localhost/coppermine.1.4.14/docs/showdoc.php?
h=</title><script>alert(123);</script>&t=waraxe

  1. Low-impact sql injection(s) in "util.php"

Preconditions:
===============
a&#41; Attacker must have Coppermine admin privileges.


Example fragment from source code:
--------------------------------------------------
function update_thumbs&#40;&#41;
{
        global $CONFIG, $lang_util_php;

        $albumid = &#40;isset&#40;$_POST[&#39;albumid&#39;]&#41;&#41; ? $_POST[&#39;albumid&#39;] : 0;
        $albstr = &#40;$albumid&#41; ? &quot;WHERE aid = $albumid&quot; : &#39;&#39;;

        $updatetype = $_POST[&#39;updatetype&#39;];
        $numpics = $_POST[&#39;numpics&#39;];
        $startpic = &#40;isset&#40;$_POST[&#39;startpic&#39;]&#41;&#41; ? $_POST[&#39;startpic&#39;] : 0;

        echo &quot;&lt;h2&gt;{$lang_util_php[&#39;thumbs_wait&#39;]}&lt;/h2&gt;&quot;;

        $result = cpg_db_query&#40;&quot;SELECT * FROM {$CONFIG[&#39;TABLE_PICTURES&#39;]}
 $albstr LIMIT $startpic, $numpics&quot;&#41;;
        $count = mysql_num_rows&#40;$result&#41;;
--------------------------------------------------

As seen above, &quot;$_POST[&#39;albumid&#39;]&quot;, &quot;$_POST[&#39;startpic&#39;]&quot; and
&quot;$_POST[&#39;numpics&#39;]&quot; are used in sql query without proper sanitization.
Clearly this points to possible sql injection security hole.
As this script can be used only by admins, then i&#39;d classify it as
&quot;low impact&quot;. By the way, there seems to be  more sql injections in this
script.


3. Low-impact sql injection&#40;s&#41; in &quot;reviewcom.php&quot;

Preconditions:

a) Attacker must have Coppermine admin privileges.

Example fragment from source code:

if (isset($_POST['cid_array'])) {
$cid_array = $_POST['cid_array'];
$cid_set = '';
foreach ($cid_array as $cid)
$cid_set .= ($cid_set == '') ? '(' . $cid : ', ' . $cid;
$cid_set .= ')';

cpg_db_query&#40;&quot;DELETE FROM {$CONFIG[&#39;TABLE_COMMENTS&#39;]}

WHERE msg_id IN $cid_set");
$nb_com_del = mysql_affected_rows();
}

It's easy to spot the problem - unsanitized data from "$_POST['cid_array']"
is used in DELETE query. In case of MySql 4.1.x attacker can fetch any info
from database via using subqueries functionality in affected DELETE query.
"Low impact" - because Coppermine admin privileges needed.

  1. Information leakage in "update.php"

Anyone can execute update script &quot;update.php&quot;:

http://victim.com/cpg14x/update.php

This specific script seems to be harmless in allready installed coppermine
instances, but looking at output, produced by script, we can see some insider
information. Example - database table prefix can be seen by potential attacker.
This piece of information can be useful in further attacks.

5. Path diclosure in &quot;include/slideshow.inc.php&quot;

http://localhost/coppermine.1.4.14/include/slideshow.inc.php

… and we see error message in javascript source code:

<b>Fatal error</b>: Call to undefined function get_pic_data() in <b>
C:\apache_wwwroot\coppermine.1.4.14\include\slideshow.inc.php
</b> on line <b>53</b><br />

How to fix:


Download new Coppermine version 1.4.15 as soon as possible!


Greetings:

Greets to ToXiC, LINUX, y3dips, Sm0ke, Heintz, slimjim100, koko, str0ke
and anyone else who know me!
Greetings to Raido Kerna. Tervitusi Torufoorumi rahvale!

Contact:


come2waraxe@yahoo.com
Janek Vind &quot;waraxe&quot;

Homepage: http://www.janekvind.com/
Waraxe forum:  http://www.waraxe.us/forums.html

---------------------------------- [ EOF ] ---------------------------------
Use Vulners API to create your own security tool

API usage cases
  • Network scanning
  • Linux Patch management
  • Threat protection
  • No network audit solution

Ways of integration

Integrate Vulners API