[VIM] Source verify - Coppermine Photo Gallery <= 1.4.10 code injection

Steven M. Christey coley at mitre.org
Mon Jan 8 20:02:10 EST 2007


Researcher: DarkFig
Ref: BUGTRAQ:20070105 Coppermine Photo Gallery <= 1.4.10 SQL Injection Exploit
http://www.securityfocus.com/archive/1/archive/1/456051/100/0/threaded

I looked at the source for 1.4.10.

At the bottom of the post, we have:

  ... that's why we use the html_entity_decode() function.  I just
  wanted < for a remote php code execution sploit without admin rights
  :'(.  When the admin view the security logs, it include
  "security.log.php"...
  
  (security.log.php)
  ==================
  [...]
  if (!defined('IN_COPPERMINE')) die(); ?>


Due to the IN_COPPERMINE check, we can't do a direct request.  The
question of authentication then comes into play.

viewlog.php has:

  function display_log($logname)
  ...
             log_read($logname);

Note that display_log() is only called if the user has admin privs:

  if (!$USER_DATA['has_admin_access']) {
  ...
  cpg_die(CRITICAL_ERROR,$lang_errors['access_denied'], __FILE__,1);


include/logger.inc.php has:

   define('CPG_SECURITY_LOG','security');
   ...
   function log_read( $log = null ) {
   ...
      $log = 'logs/'.$log.'.log.php';
      @include($log);

So, this is where security.log.php comes from (it's not in the actual
distribution).

login.php shows how we inject the code:

  if (isset($_POST['submitted'])) {
  ...
        log_write("Failed login attempt with Username: {$_POST['username']} from IP {$_SERVER['REMOTE_ADDR']} on " . localised_date(-1,$log_date_fmt),CPG_SECURITY_LOG);


So, we can only access security.log.php using viewlog.php, which can
only be accessed with admin privileges.  So, only admins can execute
arbitrary PHP code.

- Steve

P.S.  The initial report's code from init.inc.php shows some dynamic
variable evaluation that unsets "$$key" for most user-supplied
parameter names, which might allow for some interesting attacks on
HTML_SUBST, but I did not investigate closer, so I can't be sure if
there's really an issue or not.


More information about the VIM mailing list