1 Author: girex
2 Site:
http://girex.altervista.org/
3
4 CMS:
Coppermine Photo Gallery <= 1.4.22
5
6
7 Coppermine Foto Gallery suffers from different vulnerabilities.
8
9 There is a Local File Inclusion and a Blind SQL Injection working with
10 register_globals = On and magic_quotes_gpc = Off
11 and
12 a SQL Injection working in case of registration is enabled and a user can create/modify albums
13 (default setting if registration is enabled) and php.ini regardless
14 and
15 a Blind SQL Injection when is enabled the ecard logging system
16 (that is not a default configuration) and php.ini regardless
17
18 Let’s see how do they work...
19
20 −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
21
22 Is possible to bypass the anti−register_global protection and obtain a blind sql injection or a local file inclusion.
23
24 I couldn’t find a better way to exploit bypassing the anti−register_global protection so i just write this
25 Proof of Concepts.
26
27 Let’s see the anti−register_globals protection and how to bypass it...
28
29 File: /includes/init.inc.php − lines: 42−65
30
31
$keysToSkip = array(’_POST’, ’_GET’, ’_COOKIE’, ’_REQUEST’, ’_SERVER’, ’HTML_SUBST’, ’keysToSkip’, ’register_
globals_flag’, ’cpgdebugger’);
32
33
if (ini_get(’register_globals’) == ’1’ || strtolower(ini_get(’register_globals’)) == ’on’) {
34
$register_globals_flag = true;
35
} else {
36
$register_globals_flag = false;
37
}
38
39
if (get_magic_quotes_gpc()) {
40
if (is_array($_POST)) {
41
foreach ($_POST as $key => $value) {
42
if (!is_array($value))
43
$_POST[$key] = strtr(stripslashes($value), $HTML_SUBST);
44
if (!in_array($key, $keysToSkip) && isset($key) && $register_globals_flag) unset($k
ey);
45
}
46
}
47
48
if (is_array($_GET)) {
49
foreach ($_GET as $key => $value) {
50
unset($_GET[$key]);
Page 1/6
Coppermi