[VIM] Source verify - Coppermine Photo Gallery <= 1.4.10 code injection

Steven M. Christey coley at mitre.org
Mon Jan 8 20:02:10 EST 2007

Researcher: DarkFig
Ref: BUGTRAQ:20070105 Coppermine Photo Gallery <= 1.4.10 SQL Injection Exploit

I looked at the source for 1.4.10.

At the bottom of the post, we have:

  ... that's why we use the html_entity_decode() function.  I just
  wanted < for a remote php code execution sploit without admin rights
  :'(.  When the admin view the security logs, it include
  if (!defined('IN_COPPERMINE')) die(); ?>

Due to the IN_COPPERMINE check, we can't do a direct request.  The
question of authentication then comes into play.

viewlog.php has:

  function display_log($logname)

Note that display_log() is only called if the user has admin privs:

  if (!$USER_DATA['has_admin_access']) {
  cpg_die(CRITICAL_ERROR,$lang_errors['access_denied'], __FILE__,1);

include/logger.inc.php has:

   function log_read( $log = null ) {
      $log = 'logs/'.$log.'.log.php';

So, this is where security.log.php comes from (it's not in the actual

login.php shows how we inject the code:

  if (isset($_POST['submitted'])) {
        log_write("Failed login attempt with Username: {$_POST['username']} from IP {$_SERVER['REMOTE_ADDR']} on " . localised_date(-1,$log_date_fmt),CPG_SECURITY_LOG);

So, we can only access security.log.php using viewlog.php, which can
only be accessed with admin privileges.  So, only admins can execute
arbitrary PHP code.

- Steve

P.S.  The initial report's code from init.inc.php shows some dynamic
variable evaluation that unsets "$$key" for most user-supplied
parameter names, which might allow for some interesting attacks on
HTML_SUBST, but I did not investigate closer, so I can't be sure if
there's really an issue or not.

