Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 130277

Summary: www-apps/coppermine possible remote file inclusion
Product: Gentoo Security Reporter: Sune Kloppenborg Jeppesen (RETIRED) <jaervosz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: stuart, web-apps
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://myimei.com/security/2006-04-14/copperminephotogallery144-plugininclusionsystemindexphp-remotefileinclusion-attack.html
Whiteboard: ~3? [noglsa] DerCorny
Package list:
Runtime testing required: ---

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-04-17 10:43:59 UTC 
Software: CPG Coppermine Photo Gallery
 Sowtware&#8217;s Web Site: http://coppermine.sourceforge.net/
 Versions: 1.4.4.stable
 Class: Remote
 Status: Unpatched
 Exploit: Available
 Solution: Not Available
 Discovered by: imei addmimistrator
 Risk Level: High
 &#8212;&#8212;&#8212;&#8212;&#8212;&#8211;Description&#8212;&#8212;&#8212;&#8212;&#8212;
 There is a security flaw in Coppermine Photo Gallery, one of popular photo galleries in internet, that allows attacker perform a Remote File inclusion attack.

 bug is in a security flaw in plugin inclusion system.this system do not propely validate parameter $_GET[&#8217;file&#8217;] and have a simple removing speacial char mechanism that is evasionable easy.
 &#8212;&#8212;&#8212;&#8212;&#8211;See Also&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;
 file:{index.php}39
 $file = str_replace(&#8217;//&#8217;,'&#8217;,str_replace(&#8217;..&#8217;,'&#8217;,$_GET[&#8217;file&#8217;]));
 $path = &#8216;./plugins/&#8217;.$file.&#8217;.php&#8217;;
// Don&#8217;t include the codebase and credits files
 if ($file != &#8216;codebase&#8217; && $file != &#8216;configuration&#8217; && file_exists($path)) {
// Include the code from the plugin
 include_once($path);
 $file = true;
 }
&#8212;&#8212;&#8212;&#8212;&#8211;Exploit&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;-
 /cpg/index.php?file=.//././/././/././/././/././/././/././/././/./etc/passwd%00
 &#8212;&#8212;&#8212;&#8212;&#8211;Credit&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8211;
 Discovered by: imei addmimistrator
 addmimistrator(4}gmail(O}com
 imei(4}Kapda(O}IR
 www.myimei.com
 myimei.com/security
Comment 1 Stefan Cornelius (RETIRED) gentoo-dev 2006-04-19 08:40:25 UTC 
stuart pls bump, thank you
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2006-04-22 03:35:22 UTC 
1.4.5 is out to fix this directory traversal attack
Comment 3 Renat Lumpau (RETIRED) gentoo-dev 2006-04-24 06:03:43 UTC 
in CVS