[VIM] Source verify - Coppermine Photo Gallery <= 1.4.10 code injection
Steven M. Christey
coley at mitre.org
Mon Jan 8 20:02:10 EST 2007
Researcher: DarkFig
Ref: BUGTRAQ:20070105 Coppermine Photo Gallery <= 1.4.10 SQL Injection Exploit
http://www.securityfocus.com/archive/1/archive/1/456051/100/0/threaded
I looked at the source for 1.4.10.
At the bottom of the post, we have:
... that's why we use the html_entity_decode() function. I just
wanted < for a remote php code execution sploit without admin rights
:'(. When the admin view the security logs, it include
"security.log.php"...
(security.log.php)
==================
[...]
if (!defined('IN_COPPERMINE')) die(); ?>
Due to the IN_COPPERMINE check, we can't do a direct request. The
question of authentication then comes into play.
viewlog.php has:
function display_log($logname)
...
log_read($logname);
Note that display_log() is only called if the user has admin privs:
if (!$USER_DATA['has_admin_access']) {
...
cpg_die(CRITICAL_ERROR,$lang_errors['access_denied'], __FILE__,1);
include/logger.inc.php has:
define('CPG_SECURITY_LOG','security');
...
function log_read( $log = null ) {
...
$log = 'logs/'.$log.'.log.php';
@include($log);
So, this is where security.log.php comes from (it's not in the actual
distribution).
login.php shows how we inject the code:
if (isset($_POST['submitted'])) {
...
log_write("Failed login attempt with Username: {$_POST['username']} from IP {$_SERVER['REMOTE_ADDR']} on " . localised_date(-1,$log_date_fmt),CPG_SECURITY_LOG);
So, we can only access security.log.php using viewlog.php, which can
only be accessed with admin privileges. So, only admins can execute
arbitrary PHP code.
- Steve
P.S. The initial report's code from init.inc.php shows some dynamic
variable evaluation that unsets "$$key" for most user-supplied
parameter names, which might allow for some interesting attacks on
HTML_SUBST, but I did not investigate closer, so I can't be sure if
there's really an issue or not.
More information about the VIM
mailing list