Dragonfly CMS v9 ⇒ Security v9 :: Archives ⇒ Coppermine 1.2x security exploits :: Archived ⇒ Community Forums ⇒ CPG Dragonfly™ CMS
Forum IndexSecurity v9

Archived ⇒ Coppermine 1.2x security exploits


Most of this is accesible thru a hacked admin account.
Since CPG-Nuke has secure admin it is hard to break in, but when they get in you could loose everything, so read.

Thanks to Maku for notifying Exclamation

{================================================================================}
{ [waraxe-2004-SA#026] }
{================================================================================}
{ }
{ [ Multiple vulnerabilities in Coppermine Photo Gallery for PhpNuke ] }
{ }
{================================================================================}

Author: Janek Vind "waraxe"
Date: 29. April 2004
Location: Estonia, Tartu
Web: www.waraxe.us/index.ph...&id=26


Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Coppermine Photo Gallery 1.2.2b for CMS
Copyright (C) 2002,2003 Grégory DEMAR <gdemar@wanadoo.fr>
www.chezgreg.net/coppermine/
Updated by the Coppermine Dev Team coppermine.sf.net/team/
New Port by GoldenTroll
coppermine.findhere.org/
Based on coppermine 1.1d by Surf www.surf4all.net/
coppermine.findhere.org

I have tested two versions of the Coppermine: 1.2.2b and 1.2.0 RC4, which i will name
further as "new version" and "old version".


Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

A. Full path disclosure:

Many scripts in Coppermine software package are not protected against direct access,
therefore standard php error messages can be provoked, which leads to exposure the full
path to the scripts. Such piece of information has great value for potential attacker, who
will use this in next steps of hacking.

Version scope: both new and old versions are affected.


FIXES Add a die() line (seems they got lost along the way after a merge of standalone and cms version:

phpinfo.phpif (!defined('IN_COPPERMINE')) DIE(); function cpgGetPhpinfoConf($search)

addpic.phpif (eregi("modules/", $_SERVER['PHP_SELF'])) { die ("You can't access this file directly..."); } define('ADDPIC_PHP', true); define('NO_HEADER', true); require("modules/" . $name . "/include/load.inc.php");

config.phpif (eregi("modules/", $_SERVER['PHP_SELF'])) { die ("You can't access this file directly..."); } define('CONFIG_PHP', true); require("modules/" . $name . "/include/load.inc.php");

db_input.phpif (eregi("modules/", $_SERVER['PHP_SELF'])) { die ("You can't access this file directly..."); } define('DB_INPUT_PHP', true); require("modules/" . $name . "/include/load.inc.php");

displayecard.phpif (eregi("modules/", $_SERVER['PHP_SELF'])) { die ("You can't access this file directly..."); } define('DISPLAYECARD_PHP', true); require("modules/" . $name . "/include/load.inc.php");

ecard.phpif (eregi("modules/", $_SERVER['PHP_SELF'])) { die ("You can't access this file directly..."); } define('ECARDS_PHP', true); require("modules/" . $name . "/include/load.inc.php");

include/crop.inc.phpif (!defined('IN_COPPERMINE')) die('Not in Coppermine...'); // ////////////////// Variables ////////////////////////////// // used texts $txt['bigger'] = ">";

B. Cross-site scripting aka XSS:

Can be used by potential attacker for stealing cookies and doing other operations, which in
normal conditions are not permitted by browser's cross-domain security restrictions.

Version scope: only new version is affected.


REMOVE docs/menu.inc.php

C. Arbitrary directory browsing (needs nuke admin rights!):

PhpNuke is known by the many security bugs, leading to admin account overtaking by attacker.
So needing of the admin rights to use this exploit is not such big restriction ...

Version scope: both new and old versions are affected.

searchnew.phpfunction getallpicindb(&$pic_array, $startdir) { global $CONFIG; if (ereg('\.\.', $startdir)) die('Access denied'); // thanks to waraxe for finding this admin vulnerability $sql = "SELECT filepath, filename " . "FROM {$CONFIG['TABLE_PICTURES']} " . "WHERE filepath LIKE '$startdir%'"; $result = db_query($sql);

D. Execution of the arbitrary shell commands in server (needs nuke admin rights!):

Yes, again we need PhpNuke admin privileges to accomplish this exploit, but as said before,
there are many ways to compromise nuke's admin account.

Version scope: both new and old versions are affected.


include/picmgmt.inc.php AND include/picmgmtbatch.inc.php // try to get more memory for executing large pictures -> DJMaze ini_set("memory_limit", "32M"); // Method for thumbnails creation $CONFIG['jpeg_qual'] = intval($CONFIG['jpeg_qual']); $CONFIG['im_options'] = escapeshellarg($CONFIG['im_options']); switch ($method) {

E. Remote file inclusion:

Version scope: both new and old versions are affected (different bugs in different scripts).

There exists remote file inclusion vulnerabilities in Coppermine Photo Gallery, which
can lead to arbitrary php code parsing, shell commands injection, etc. And as discussed before,
finally this can lead to total compromise of the victim server.

Of course, attacker's server, where those scripts are, must NOT PARSE PHP!!

See ya!


open your theme.php/* (at your option) any later version. */ /****************************************************************************/ /* $Id: theme.php,v 1.6 2004/04/08 08:23:42 gtroll Exp $ */ /****************************************************************************/ if (!defined('IN_COPPERMINE')) die('Not in Coppermine...');

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Fedora 25 / Apache 2.4.27 / MariaDB 10.1.26 / PHP 7.1.10 / Mercurial

Last edited by DJ Maze on Wed May 05, 2004 6:27 am; edited 4 times in total


Hi,...

this Code:
if (ereg('..', $startdir)) die('Access denied');

in "searchnew.php" will not work for me...

"$startdir" is filled with: "userpics/Menschen/" but I get an "Access denied"...

Dogman Cool

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Win/1.3/4.0.18/4.3.4


same for me - access denied ...

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
SuSe 8.2 / 1.7x / 3.23.52 / 4.34


Thank you. 1 question
REMOVE menu.inc.php


does this line refer to postnuke only?

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
linux host/ apache 1.3.29/ mysql4/php4


Oops the code should be searchnew.phpfunction getallpicindb(&$pic_array, $startdir) { global $CONFIG; if (ereg('\.\.', $startdir)) die('Access denied'); // thanks to waraxe for finding this admin vulnerability $sql = "SELECT filepath, filename " . "FROM {$CONFIG['TABLE_PICTURES']} " . "WHERE filepath LIKE '$startdir%'"; $result = db_query($sql);

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Fedora 25 / Apache 2.4.27 / MariaDB 10.1.26 / PHP 7.1.10 / Mercurial


This did it... Very Happy

Thank you...

Dogman Cool

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Win/1.3/4.0.18/4.3.4


$CONFIG['jpeg_qual'] = escapeshellarg($CONFIG['jpeg_qual']);
Since the parameter is always supposed to be an integer, can I suggest:
$CONFIG['jpeg_qual'] = intval($CONFIG['jpeg_qual']);
This is causing problems on my installation (does it with the jpeg_qual value too, which is why I used intval()):
$CONFIG['im_options'] = escapeshellarg($CONFIG['im_options']);
It ends up changing the string (I've verified the database):
-antialias

to:
''\''-antialias'\'''

Ugh. Not good.
I fixed the problem by changing the line to read:
$im_options = escapeshellarg($CONFIG['im_options']);
and changing {$CONFIG['im_options']} to {$im_options} in Line 145.

It is pitch black. You are likely to be eaten by a grue.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Ubuntu 12.04, Atom D525/Apache 2.2.22/MySQL 5.5.38/PHP 5.3.10/Dragonfly 9.4.0.0 CVS


thanks darkgrue

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Fedora 25 / Apache 2.4.27 / MariaDB 10.1.26 / PHP 7.1.10 / Mercurial


is there anyway to make a patch, or post updated files for the less knowledgable php users? Rolling Eyes i'm tryin!

Please enter your server specs in your user profile! 😢


cvs.sourceforge.net/vi...ortby=date

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Linux / 1.3.34 / 4.1.18 / 4.4.2 / CVS


The Topic was 1.2x - CPG-Nuke releases are 1.3.0 - use CVS at your own risk, otherwise use 8.1.1 and refer issues to Modules Forum. Smile

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):


Oops, sorry Embarassed

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Linux / 1.3.34 / 4.1.18 / 4.4.2 / CVS


Full-Disclosure Today.

Watch the kiddies come out.

J.
j e r u v y a t y a h o o d o t c o m

Need help? Look here: www.dragonflycms.org/W...d=112.html
Need to chat? Look for me on irc.freenode.net

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Ubuntu7.10/Debian3.1 - 2.2.3/1.3.37 - 5.0.38/4.0.27 - 5.2.1/4.4.7 - CVS/9.1.2}


Check my new topic
cpgnuke.com/index.php?...&t=422 to see more hack prevention especialy to prevent above attacks and trap them instantly Very Happy

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Fedora 25 / Apache 2.4.27 / MariaDB 10.1.26 / PHP 7.1.10 / Mercurial


just one more question.-.-.

after installing the above fixes the thumbnail and normal pics have a rather nasty look - see it at www.allygally.de , the pics added today -.-.-.

any idea what this could be ?

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
SuSe 8.2 / 1.7x / 3.23.52 / 4.34

Last edited by sigi on Tue May 04, 2004 9:52 pm; edited 1 time in total

All times are UTC