[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: [waraxe-2005-SA#042] - Multiple vulnerabilities in Coppermine
From: Janek Vind <come2waraxe () yahoo ! com>
Date: 2005-04-20 16:31:45
Message-ID: 20050420163145.7316.qmail () www ! securityfocus ! com
[Download RAW message or body]
{================================================================================}
{ [waraxe-2005-SA#042] }
{================================================================================}
{ }
{ [ Multiple vulnerabilities in Coppermine Photo Gallery 1.3.2 ] }
{ }
{================================================================================}
\
Author: Janek Vind "waraxe"
Date: 20. April 2005
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-42.html
Target software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Coppermine Photo Gallery
Coppermine is an easily set-up, fast, feature-rich photo gallery script with MySQL
database. CPG supports template & user management, private galleries, automatic
thumbnail creation, film strip, e-card feature for easy customization to match the
rest of a site. CPG 1.3 adds multiple uploads, updated securities, countless \
bug-fixes, many new features including support for document types (ie tiff, psd, swf \
etc) and online editing of documents!
Homepage: http://coppermine.sourceforge.net/
Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Today we will analyze some possible security flaws in Coppermine 1.3.2 standalone.
It all will start from:
A - Sql injection
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Here is code fragment from "/include/init.inc.php" line ~ 357:
--------[original source code]--------
// See if the fav cookie is set else set it
if (isset($HTTP_COOKIE_VARS[$CONFIG['cookie_name'] . '_fav'])) {
$FAVPICS = @unserialize(@base64_decode($HTTP_COOKIE_VARS[$CONFIG['cookie_name'] . \
'_fav'])); } else {
$FAVPICS = array();
}
--------[/original source code]--------
So as we can see, data from cookie (typical is "cpg132_fav") is base64_decode-d and \
then unserialized. So ANY kind of data can be delivered to coppermine, including \
single quotes (" ' "), nulls ("\0"), etc. What next? As i can understand, $FAVPICS is \
supposed to be as array with INT values. But where is checks then? With unserialize() \
there are all things possible...
Let's see further, file "include/functions.inc.php", line ~ 840:
--------[original source code]--------
if (count($FAVPICS)>0){
$favs = implode(",",$FAVPICS);
$result = db_query("SELECT COUNT(*) from {$CONFIG['TABLE_PICTURES']} WHERE approved \
= 'YES' AND pid IN ($favs)"); $nbEnr = mysql_fetch_array($result);
$count = $nbEnr[0];
mysql_free_result($result);
$select_columns = '*';
$result = db_query("SELECT $select_columns FROM {$CONFIG['TABLE_PICTURES']} WHERE \
approved = 'YES'AND pid IN ($favs) $limit"); $rowset = db_fetch_rowset($result);
mysql_free_result($result);
if ($set_caption) foreach ($rowset as $key => $row){
$caption = $rowset[$key]['title'] ? "<span \
class=\"thumb_caption\">".($rowset[$key]['title'])."</span>" : ''; \
$rowset[$key]['caption_text'] = $caption; }
}
--------[/original source code]--------
Well, "$favs" uses "$FAVPICS" without any sanitize and possible single quotes can \
propagate to $favs too. And finally "$favs" is used directly in sql queries. \
Therefore sql injection can take place and it's exploitable. Good news (for admin's \
and webmasters) is, that this kind of sql injection case is complicated to implement, \
because specific restricting factors. It needs to write special script or program, \
which uses COOKIE variables and some blind sql injection technics. Not for \
scriptkiddies this time ...
Now, let's move further and assume, that someone is exploiting this specific sql \
injection and can therefore retrieve from database any arbitrary information. As \
usual, most interesting data do steal is admin username and password hash. So we are \
arrived to:
B - Plaintext passwords in database
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Believe it or not, Coppermine uses plaintext passwords for storing in sql database. \
No md5, no sha1, just plaintext... I have information, that Coppermine will be using \
md5 hashes soon, but right now attacker can retrieve from sql database admin username \
and password and then get easily administrator privileges in Coppermine context. This \
gives to attacker new possibilities to further assault, and one of them is:
C - Sql injection in "zipdownload.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Let's look at source code from "zipdownload.php" line ~ 45:
--------[original source code]--------
if (count($FAVPICS)>0){
$favs = implode(",",$FAVPICS);
$select_columns = 'filepath,filename';
$result = db_query("SELECT $select_columns FROM {$CONFIG['TABLE_PICTURES']} WHERE \
approved = 'YES'AND pid IN ($favs)"); $rowset = db_fetch_rowset($result);
foreach ($rowset as $key => $row){
$filelist[] = $rowset[$key]['filepath'].$rowset[$key]['filename'];
}
}
--------[/original source code]--------
Zipdownload functionality is disabled by default in Coppermine, but when attacker \
will have admin privileges, it can be turned on. And by looking to source code we can \
see, that it will give to potential intruder possibilites to download any file from \
server, readable by script.
How to fix:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Vendor first contacted: 16. April 2005
Vendor first response: 17. April 2005
Details sent to vendor: 17. April 2005
Vendor second response: 17. April 2005
Patch released by vendor: 20. April 2005
URL: http://coppermine.sourceforge.net/board/index.php?topic=17134
New Coppermine version 1.3.3 is available at:
http://prdownloads.sourceforge.net/coppermine/cpg1.3.3.zip?download
Discussions - http://www.waraxe.us/forums.html
Additional resources:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Online Base64 decoder and encoder - http://base64-encoder-online.waraxe.us/
SiteMapper - free php script for SEO phpNuke powered websites -
Fresh version 0.5 can be downloaded @ http://sitemapper.waraxe.us/
Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Greets to LINUX, Heintz, murdock, g0df4th3r, slimjim100, shai-tan, y3dips and
all other active members from waraxe.us forum !
Tervitused - Raido Kerna !
Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
come2waraxe@yahoo.com
Janek Vind "waraxe"
Homepage: http://www.waraxe.us/
---------------------------------- [ EOF ] ------------------------------------
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic