Waraxe IT Security Portal
Login or Register
October 15, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 71
Members: 0
Total: 71
Full disclosure
SEC Consult SA-20241009-0 :: Local Privilege Escalation via MSI installer in Palo Alto Networks GlobalProtect (CVE-2024-9473)
APPLE-SA-10-03-2024-1 iOS 18.0.1 and iPadOS 18.0.1
Some SIM / USIM card security (and ecosystem) info
SEC Consult SA-20240930-0 :: Local Privilege Escalation via MSI Installer in Nitro PDF Pro (CVE-2024-35288)
Backdoor.Win32.Benju.a / Unauthenticated Remote CommandExecution
Backdoor.Win32.Prorat.jz / Remote Stack Buffer Overflow (SEH)
Backdoor.Win32.Amatu.a / Remote Arbitrary File Write (RCE)
Backdoor.Win32.Agent.pw / Remote Stack Buffer Overflow (SEH)
Backdoor.Win32.Boiling / Remote Command Execution
Defense in depth -- the Microsoft way (part 88): a SINGLEcommand line shows about 20, 000 instances of CWE-73
SEC Consult SA-20240925-0 :: Uninstall Password Bypass in BlackBerry CylanceOPTICS Windows Installer Package (CVE-2024-35214)
Apple iOS 17.2.1 - Screen Time Passcode Retrieval (MitigationBypass)
CyberDanube Security Research 20240919-0 | Multiple Vulnerabilities in Netman204
Submit Exploit CVE-2024-42831
Stored XSS in "Edit Profile" - htmlyv2.9.9
[waraxe-2008-SA#066] - Multiple Vulnerabilities in Coppermine 1.4.14





Author: Janek Vind "waraxe"
Date: 31. January 2008
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-66.html


Target software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Coppermine Photo Gallery is a multi-purpose fully-featured and integrated web
picture gallery script written in PHP using GD or ImageMagick as image library
with a MySQL backend.

Coppermine Photo Gallery has been tested working well on IIS, Apache 1.3.24
onwards to the latest Apache 2, on Linux, UNIX, OSX, and Win32 systems.

Vulnerabilities discovered
===============================================================================

1. Reflected XSS in "docs/showdoc.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

http://localhost/coppermine.1.4.14/docs/showdoc.php?
h=waraxe&t=<script>alert(123);</script>
http://localhost/coppermine.1.4.14/docs/showdoc.php?
h=</title><script>alert(123);</script>&t=waraxe


2. Low-impact sql injection(s) in "util.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Preconditions:
===============
a) Attacker must have Coppermine admin privileges.


Example fragment from source code:
--------------------------------------------------
function update_thumbs()
{
global $CONFIG, $lang_util_php;

$albumid = (isset($_POST['albumid'])) ? $_POST['albumid'] : 0;
$albstr = ($albumid) ? "WHERE aid = $albumid" : '';

$updatetype = $_POST['updatetype'];
$numpics = $_POST['numpics'];
$startpic = (isset($_POST['startpic'])) ? $_POST['startpic'] : 0;

echo "<h2>{$lang_util_php['thumbs_wait']}</h2>";

$result = cpg_db_query("SELECT * FROM {$CONFIG['TABLE_PICTURES']}
$albstr LIMIT $startpic, $numpics");
$count = mysql_num_rows($result);
--------------------------------------------------

As seen above, "$_POST['albumid']", "$_POST['startpic']" and
"$_POST['numpics']" are used in sql query without proper sanitization.
Clearly this points to possible sql injection security hole.
As this script can be used only by admins, then i'd classify it as
"low impact". By the way, there seems to be more sql injections in this
script.


3. Low-impact sql injection(s) in "reviewcom.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Preconditions:
===============
a) Attacker must have Coppermine admin privileges.


Example fragment from source code:
--------------------------------------------------
if (isset($_POST['cid_array'])) {
$cid_array = $_POST['cid_array'];
$cid_set = '';
foreach ($cid_array as $cid)
$cid_set .= ($cid_set == '') ? '(' . $cid : ', ' . $cid;
$cid_set .= ')';

cpg_db_query("DELETE FROM {$CONFIG['TABLE_COMMENTS']}
WHERE msg_id IN $cid_set");
$nb_com_del = mysql_affected_rows();
}
--------------------------------------------------

It's easy to spot the problem - unsanitized data from "$_POST['cid_array']"
is used in DELETE query. In case of MySql 4.1.x attacker can fetch any info
from database via using subqueries functionality in affected DELETE query.
"Low impact" - because Coppermine admin privileges needed.

4. Information leakage in "update.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Anyone can execute update script "update.php":

http://victim.com/cpg14x/update.php

This specific script seems to be harmless in allready installed coppermine
instances, but looking at output, produced by script, we can see some insider
information. Example - database table prefix can be seen by potential attacker.
This piece of information can be useful in further attacks.

5. Path diclosure in "include/slideshow.inc.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

http://localhost/coppermine.1.4.14/include/slideshow.inc.php

... and we see error message in javascript source code:

<b>Fatal error</b>: Call to undefined function get_pic_data() in <b>
C:apache_wwwrootcoppermine.1.4.14includeslideshow.inc.php
</b> on line <b>53</b><br />


How to fix:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Download new Coppermine version 1.4.15 as soon as possible!


Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Greets to ToXiC, LINUX, y3dips, Sm0ke, Heintz, slimjim100, koko, str0ke
and anyone else who know me!
Greetings to Raido Kerna. Tervitusi Torufoorumi rahvale!

Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

come2waraxe@yahoo.com
Janek Vind "waraxe"

Homepage: http://www.janekvind.com/
Waraxe forum: http://www.waraxe.us/forums.html

---------------------------------- [ EOF ] ---------------------------------









Copyright © by Waraxe IT Security Portal All Right Reserved.

Published on: 2008-01-31 (31064 reads)

[ Go Back ]
Top members by posts
waraxe  waraxe - 2407
vince213333  vince213333 - 737
pexli  pexli - 665
Mullog  Mullog - 540
demon  demon - 485
shai-tan  shai-tan - 477
LINUX  LINUX - 404
Cyko  Cyko - 375
tsabitah  tsabitah - 328
y3dips  y3dips - 281
Cybercrime news
Lynx Ransomware Analyses Reveal Similarities To INC Ransom
Recent Veeam Vulnerability Exploited In Ransomware Attacks
FBI Created A Cryptocurrency So It Could Watch It Being Abused
Ransomware Double-Extortion Group Listings Peaked In 2024
Ukrainian Malware Operator Pleads Guilty In US Court
Healthcare Orgs Warned Of Trinity Ransomware Attacks
About A Quarter Million Comcast Subscribers Had Their Data Stolen From Debt Collector
Apple Couldn't Tell Fake iPhones From Real Ones, Lost $2.5M In Scam
Ransomware Hits Critical Infrastructure Hard, Costs Adding Up
Ransowmare Crew Infects 100+ Orgs Monthly With New MedusaLocker Variant
Evil Corp/REvil Malware Crime Group Outed As Family Affair
More LockBit Hackers Arrested, Unmasked As Servers Siezed
Ransomware Forces Hospital To Turn Away Ambulances
Ransomware Gang Using Stolen MS Entra ID Creds To Bust Into Cloud
RansomHub Genius Tries To Put The Squeeze On Delaware Libraries
US Indicts Two Over Socially Engineered $230M+ Crypto Heist
Life Imitates xkcd Comic As Florida Gang Beats Crypto Password From Retiree
Cyber Crooks Strut Away With Haute Couture Harvey Nichols Data
Marko Polo Hackers Found To Be Running Dozens Of Scams
Hackers Demand $6 Million From Seattle Airport Operators
Recent WhatsUp Gold Vulnerabilities Possibly Exploited In Ransomware Attacks
Cops Across The World Arrest 51 In Orchestrated Takedown Of Ghost Crime Platform
France Uses Tough, Untested Cybercrime Law To Target Durov
Ransomware Group Leaks Data Stolen From Kawasaki Motors
Old WHOIS Domain Could Have Issued Fraudulent TLS/SSL Certs
Hacker news
Thousands Of Fortinet Instances Vulnerable To Actively Exploited Flaw
Hacked Robot Vacuums Across The U.S. Started Yelling Slurs
Recent Veeam Vulnerability Exploited In Ransomware Attacks
Fidelity Investments Data Breach Impacts 77,000 Customers
ShadowLogic Attack Targets AI Model Graphs To Create Codeless Backdoors
Meet The Team Paid To Break Into Top Secret Bases
Doctor Web Refutes Hackers' Claim Of User Data Theft
Internet Archive Leaks User Info And Succumbs To DDoS
Casio Hit By Cyberattack
Microsoft Confirms Exploited Zero-Day In Windows Management Console
Ransomware Double-Extortion Group Listings Peaked In 2024
Qualcomm Urges Patching After Targeted Exploitation
Ukrainian Malware Operator Pleads Guilty In US Court
Okta Classic Customers Told To Check Logs For Sign-On Bypass
American Water Shuts Down Customer Portal Amid Cybersecurty Incident
You Might Have The Skills That Cyber-Security Wants
Healthcare Orgs Warned Of Trinity Ransomware Attacks
About A Quarter Million Comcast Subscribers Had Their Data Stolen From Debt Collector
Hacker Attack Disrupts Russian State Media On Putin's Birthday
China's Salt Typhoon Hacked Multiple Telcos
LLM Hijacking Of Cloud Infrastructure Uncovered By Researchers
Thousands Of Linux Systems Infected By Malware Since 2021
DOJ, Microsoft Take Down 107 Russian-Backed Star Blizzards Domains
Ransowmare Crew Infects 100+ Orgs Monthly With New MedusaLocker Variant
Ivanti EPM Vulnerability Exploited In The Wild
Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.036 Seconds