Coppermine 1.2x security exploits :: Archived

DJ Maze · Last edited by DJ Maze on Wed May 05, 2004 6:27 am; edited 4 times in total

Most of this is accesible thru a hacked admin account.
Since CPG-Nuke has secure admin it is hard to break in, but when they get in you could loose everything, so read.

Thanks to Maku for notifying Exclamation

Quote::

{================================================================================}
{ [waraxe-2004-SA#026] }
{================================================================================}
{ }
{ [ Multiple vulnerabilities in Coppermine Photo Gallery for PhpNuke ] }
{ }
{================================================================================}

Author: Janek Vind "waraxe"
Date: 29. April 2004
Location: Estonia, Tartu
Web: www.waraxe.us/index.ph...&id=26

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Coppermine Photo Gallery 1.2.2b for CMS
Copyright (C) 2002,2003 Grégory DEMAR <gdemar@wanadoo.fr>
www.chezgreg.net/coppermine/
Updated by the Coppermine Dev Team coppermine.sf.net/team/
New Port by GoldenTroll
coppermine.findhere.org/
Based on coppermine 1.1d by Surf www.surf4all.net/
coppermine.findhere.org

I have tested two versions of the Coppermine: 1.2.2b and 1.2.0 RC4, which i will name
further as "new version" and "old version".

Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

A. Full path disclosure:

Many scripts in Coppermine software package are not protected against direct access,
therefore standard php error messages can be provoked, which leads to exposure the full
path to the scripts. Such piece of information has great value for potential attacker, who
will use this in next steps of hacking.

Version scope: both new and old versions are affected.

FIXES Add a die() line (seems they got lost along the way after a merge of standalone and cms version:

phpinfo.php

PHP:

if (!defined('IN_COPPERMINE')) DIE();
function cpgGetPhpinfoConf($search)

addpic.php

PHP:

if (eregi("modules/", $_SERVER['PHP_SELF'])) {
    die ("You can't access this file directly...");
}
define('ADDPIC_PHP', true);
define('NO_HEADER', true);
require("modules/" . $name . "/include/load.inc.php");

config.php

PHP:

if (eregi("modules/", $_SERVER['PHP_SELF'])) {
    die ("You can't access this file directly...");
}
define('CONFIG_PHP', true);
require("modules/" . $name . "/include/load.inc.php");

db_input.php

PHP:

if (eregi("modules/", $_SERVER['PHP_SELF'])) {
    die ("You can't access this file directly...");
}
define('DB_INPUT_PHP', true);
require("modules/" . $name . "/include/load.inc.php");

displayecard.php

PHP:

if (eregi("modules/", $_SERVER['PHP_SELF'])) {
    die ("You can't access this file directly...");
}
define('DISPLAYECARD_PHP', true);
require("modules/" . $name . "/include/load.inc.php");

ecard.php

PHP:

if (eregi("modules/", $_SERVER['PHP_SELF'])) {
    die ("You can't access this file directly...");
}
define('ECARDS_PHP', true);
require("modules/" . $name . "/include/load.inc.php");

include/crop.inc.php

PHP:

if (!defined('IN_COPPERMINE')) die('Not in Coppermine...');
// ////////////////// Variables //////////////////////////////
// used texts
$txt['bigger'] = ">";

Quote::

B. Cross-site scripting aka XSS:

Can be used by potential attacker for stealing cookies and doing other operations, which in
normal conditions are not permitted by browser's cross-domain security restrictions.

Version scope: only new version is affected.

REMOVE docs/menu.inc.php

Quote::

C. Arbitrary directory browsing (needs nuke admin rights!):

PhpNuke is known by the many security bugs, leading to admin account overtaking by attacker.
So needing of the admin rights to use this exploit is not such big restriction ...

Version scope: both new and old versions are affected.

searchnew.php

PHP:

function getallpicindb(&$pic_array, $startdir)
{
    global $CONFIG;
    if (ereg('\.\.', $startdir)) die('Access denied'); // thanks to waraxe for finding this admin vulnerability
    $sql = "SELECT filepath, filename " . "FROM {$CONFIG['TABLE_PICTURES']} " . "WHERE filepath LIKE '$startdir%'";
    $result = db_query($sql);

Quote::

D. Execution of the arbitrary shell commands in server (needs nuke admin rights!):

Yes, again we need PhpNuke admin privileges to accomplish this exploit, but as said before,
there are many ways to compromise nuke's admin account.

Version scope: both new and old versions are affected.

include/picmgmt.inc.php AND include/picmgmtbatch.inc.php

PHP:

    // try to get more memory for executing large pictures -> DJMaze
    ini_set("memory_limit", "32M");
    // Method for thumbnails creation
    $CONFIG['jpeg_qual'] = intval($CONFIG['jpeg_qual']);
    $CONFIG['im_options'] = escapeshellarg($CONFIG['im_options']);
    switch ($method) {

Quote::

E. Remote file inclusion:

Version scope: both new and old versions are affected (different bugs in different scripts).

There exists remote file inclusion vulnerabilities in Coppermine Photo Gallery, which
can lead to arbitrary php code parsing, shell commands injection, etc. And as discussed before,
finally this can lead to total compromise of the victim server.

Of course, attacker's server, where those scripts are, must NOT PARSE PHP!!

See ya!

open your theme.php

PHP:

/* (at your option) any later version.                                      */
/****************************************************************************/
/*   $Id: theme.php,v 1.6 2004/04/08 08:23:42 gtroll Exp $          */
/****************************************************************************/
if (!defined('IN_COPPERMINE')) die('Not in Coppermine...');

Dogman · Newbie Offline Joined: May 01, 2004 Posts: 2

Hi,...

this Code:

Code::

if (ereg('..', $startdir)) die('Access denied');

in "searchnew.php" will not work for me...

"$startdir" is filled with: "userpics/Menschen/" but I get an "Access denied"...

Dogman Cool

sigi · Newbie Offline Joined: May 01, 2004 Posts: 5

same for me - access denied ...

lost1 · Newbie Offline Joined: Apr 25, 2004 Posts: 28

Thank you. 1 question

Quote::

REMOVE menu.inc.php

does this line refer to postnuke only?

DJ Maze

Oops the code should be searchnew.php

PHP:

function getallpicindb(&$pic_array, $startdir)
{
    global $CONFIG;
    if (ereg('\.\.', $startdir)) die('Access denied'); // thanks to waraxe for finding this admin vulnerability
    $sql = "SELECT filepath, filename " . "FROM {$CONFIG['TABLE_PICTURES']} " . "WHERE filepath LIKE '$startdir%'";
    $result = db_query($sql);

Dogman · Newbie Offline Joined: May 01, 2004 Posts: 2

This did it... Very Happy

Thank you...

Dogman Cool

darkgrue

PHP:

$CONFIG['jpeg_qual'] = escapeshellarg($CONFIG['jpeg_qual']);

Since the parameter is always supposed to be an integer, can I suggest:

PHP:

$CONFIG['jpeg_qual'] = intval($CONFIG['jpeg_qual']);

This is causing problems on my installation (does it with the jpeg_qual value too, which is why I used intval()):

PHP:

$CONFIG['im_options'] = escapeshellarg($CONFIG['im_options']);

It ends up changing the string (I've verified the database):

Quote::

-antialias

to:

Quote::

''\''-antialias'\'''

Ugh. Not good.
I fixed the problem by changing the line to read:

PHP:

$im_options = escapeshellarg($CONFIG['im_options']);

and changing {$CONFIG['im_options']} to {$im_options} in Line 145.

DJ Maze

thanks darkgrue

Head-e · Silver Supporter Offline Joined: Apr 20, 2004 Posts: 937

is there anyway to make a patch, or post updated files for the less knowledgable php users? Rolling Eyes

i'm tryin!

Trevor

cvs.sourceforge.net/vi...ortby=date

Phoenix

The Topic was 1.2x - CPG-Nuke releases are 1.3.0 - use CVS at your own risk, otherwise use 8.1.1 and refer issues to Modules Forum. Smile

Trevor

Oops, sorry Embarassed

Jeruvy

Full-Disclosure Today.

Watch the kiddies come out.

DJ Maze

Check my new topic
cpgnuke.com/index.php?...&t=422 to see more hack prevention especialy to prevent above attacks and trap them instantly Very Happy

sigi · Newbie Offline Joined: May 01, 2004 Posts: 5

just one more question.-.-.

after installing the above fixes the thumbnail and normal pics have a rather nasty look - see it at www.allygally.de , the pics added today -.-.-.

any idea what this could be ?