[VIM] Coppermine Photo Gallery 1.5.x Remote Command Execution
George A. Theall
theall at tenable.com
Wed Feb 9 10:35:11 CST 2011
Exploit DB 16142 / Bugtraq 46288 cover a remote command execution
issue in Coppermine Photo Gallery 1.5.x reported by Sn!pEr.S!Te. This
person's success record has been rather spotty in the past, and this
one seems just as bogus. Here's the code from include/picmgmt.inc.php
in 1.5.12:
----- snip, snip, snip -----
if (!defined('IN_COPPERMINE')) { die('Not in Coppermine...');}
...
function resize_image($src_file, $dest_file, $new_size, $method,
$thumb_use, $watermark="false", $sharpen=0, $media_type="false")
{
...
if ($superCage->env->getMatched('OS', '/win/
i')) {
$cmd = "\"".str_replace("\\","/",
$CONFIG['impath'])."convert\" -resize ".$wm_resize."% ".str_replace("\
\","/" ,$CONFIG['watermark_file'] )." ".str_replace("\\","/" ,
$path_to_tmp_wm );
exec ("\"$cmd\"", $output, $retval);
----- snip, snip, snip -----
The 'IN_COPPERMINE' check occurs in the first non-comment line after
the initial PHP opening tag so right from the start, we can see that
the issue can't be exploited as Sn!pEr.S!Te claims.
Also, the 'exec()' call that's supposedly affected occurs in a
function definition and the file basically just holds function calls;
there's no way to call the affected 'resize_image()' function by
requesting picmgmt.inc.php.
And finally, the 'output' and 'retval' parameters actually appear in
the 'exec()' call as the 2nd and 3rd args, not part of the first as Sn!
pEr.S!Te claims. This difference is significant, as PHP uses those
parameter values to store the output of the command and its return
value respectively; they are not simply appended to the command and
passed to a shell.
George
--
theall at tenablesecurity.com
More information about the VIM
mailing list