[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    [waraxe-2005-SA#042] - Multiple vulnerabilities in Coppermine
From:       Janek Vind <come2waraxe () yahoo ! com>
Date:       2005-04-20 16:31:45
Message-ID: 20050420163145.7316.qmail () www ! securityfocus ! com
[Download RAW message or body]





{================================================================================}
{                              [waraxe-2005-SA#042]                              }
{================================================================================}
{                                                                                }
{          [ Multiple vulnerabilities in Coppermine Photo Gallery 1.3.2 ]        }
{                                                                                }
{================================================================================}
                                                                                      \
                
Author: Janek Vind "waraxe"
Date: 20. April 2005
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-42.html


Target software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Coppermine Photo Gallery 

Coppermine is an easily set-up, fast, feature-rich photo gallery script with MySQL
database. CPG supports template & user management, private galleries, automatic
thumbnail creation, film strip, e-card feature for easy customization to match the
rest of a site. CPG 1.3 adds multiple uploads, updated securities, countless \
bug-fixes, many new features including support for document types (ie tiff, psd, swf \
etc) and online editing of documents! 

Homepage: http://coppermine.sourceforge.net/


Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Today we will analyze some possible security flaws in Coppermine 1.3.2 standalone.
It all will start from:

A - Sql injection
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Here is code fragment from "/include/init.inc.php" line ~ 357:

--------[original source code]--------
// See if the fav cookie is set else set it
if (isset($HTTP_COOKIE_VARS[$CONFIG['cookie_name'] . '_fav'])) {
    $FAVPICS = @unserialize(@base64_decode($HTTP_COOKIE_VARS[$CONFIG['cookie_name'] . \
'_fav'])); } else {
    $FAVPICS = array();
}
--------[/original source code]--------

So as we can see, data from cookie (typical is "cpg132_fav") is base64_decode-d and \
then unserialized. So ANY kind of data can be delivered to coppermine, including \
single quotes (" ' "), nulls ("\0"), etc. What next? As i can understand, $FAVPICS is \
supposed to be as array with INT values. But where is checks then? With unserialize() \
there are all things possible...

Let's see further, file "include/functions.inc.php", line ~ 840:

--------[original source code]--------
if (count($FAVPICS)>0){
	$favs = implode(",",$FAVPICS);
	$result = db_query("SELECT COUNT(*) from {$CONFIG['TABLE_PICTURES']} WHERE approved \
= 'YES' AND pid IN ($favs)");  $nbEnr = mysql_fetch_array($result);
	$count = $nbEnr[0];
	mysql_free_result($result);

	$select_columns = '*';

	$result = db_query("SELECT $select_columns FROM {$CONFIG['TABLE_PICTURES']} WHERE \
approved = 'YES'AND pid IN ($favs) $limit");  $rowset = db_fetch_rowset($result);

	mysql_free_result($result);

	if ($set_caption) foreach ($rowset as $key => $row){
		$caption = $rowset[$key]['title'] ? "<span \
class=\"thumb_caption\">".($rowset[$key]['title'])."</span>" : '';  \
$rowset[$key]['caption_text'] = $caption;  }
	}
--------[/original source code]--------

Well, "$favs" uses "$FAVPICS" without any sanitize and possible single quotes can \
propagate to $favs too. And finally "$favs" is used directly in sql queries. \
Therefore sql injection can take place and it's exploitable. Good news (for admin's \
and webmasters) is, that this kind of sql injection case is complicated to implement, \
because specific restricting factors. It needs to write special script or program, \
which uses COOKIE variables and some blind sql injection technics. Not for \
scriptkiddies this time ...

Now, let's move further and assume, that someone is exploiting this specific sql \
injection and can therefore retrieve from database any arbitrary information. As \
usual, most interesting data do steal is admin username and password hash. So we are \
arrived to:


B - Plaintext passwords in database
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Believe it or not, Coppermine uses plaintext passwords for storing in sql database. \
No md5, no sha1, just plaintext... I have information, that Coppermine will be using \
md5 hashes soon, but right now attacker can retrieve from sql database admin username \
and password and then get easily administrator privileges in Coppermine context. This \
gives to attacker new possibilities to further assault, and one of them is:


C - Sql injection in "zipdownload.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
Let's look at source code from "zipdownload.php" line ~ 45:

--------[original source code]--------
if (count($FAVPICS)>0){
	$favs = implode(",",$FAVPICS);

	$select_columns = 'filepath,filename';

	$result = db_query("SELECT $select_columns FROM {$CONFIG['TABLE_PICTURES']} WHERE \
approved = 'YES'AND pid IN ($favs)");  $rowset = db_fetch_rowset($result);
	foreach ($rowset as $key => $row){

		$filelist[] = $rowset[$key]['filepath'].$rowset[$key]['filename'];

	}
}
--------[/original source code]--------

Zipdownload functionality is disabled by default in Coppermine, but when attacker \
will have admin privileges, it can be turned on. And by looking to source code we can \
see, that it will give to potential intruder possibilites to download any file from \
server, readable by script.


How to fix:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vendor first contacted: 16. April 2005
Vendor first response: 17. April 2005
Details sent to vendor: 17. April 2005
Vendor second response: 17. April 2005 

Patch released by vendor: 20. April 2005
URL: http://coppermine.sourceforge.net/board/index.php?topic=17134

New Coppermine version 1.3.3 is available at:

http://prdownloads.sourceforge.net/coppermine/cpg1.3.3.zip?download

Discussions -  http://www.waraxe.us/forums.html


Additional resources:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Online Base64 decoder and encoder - http://base64-encoder-online.waraxe.us/

SiteMapper - free php script for SEO phpNuke powered websites -
Fresh version 0.5 can be downloaded @ http://sitemapper.waraxe.us/


Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Greets to LINUX, Heintz, murdock, g0df4th3r, slimjim100, shai-tan, y3dips and
all other active members from waraxe.us forum !

Tervitused - Raido Kerna !

Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    come2waraxe@yahoo.com
    Janek Vind "waraxe"

    Homepage: http://www.waraxe.us/

---------------------------------- [ EOF ] ------------------------------------


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic