Www.edup.tudelft.nl/~bjwever/advisory copperminer.html.php

From Skypher

Coppermine photo gallery file upload remote compromise

Background information

From the website, http://www.chezgreg.net/coppermine/:

"Coppermine Photo Gallery is a picture gallery script. Users can upload pictures with a web browser (thumbnails are created on the fly), add comments, send e-cards and view statistics about the pictures."

"The script use PHP, a MySQL database and the GD library (version 1.x or 2.x) or ImageMagick to make the thumbnails. An install script makes the installation very fast and easy."

Vulnerability

Coppermine allows the uploading of images onto a server by logged in users and in a lot of configurations even anonymous uploading. The upload script has a buggy extention checking routine which allows the uploading of ".jpg.php" files. These files need to be a valid jpg-files or Coppermine will delete them. It is trivial to create a file which is a valid jpg and also a valid PHP script. Once uploaded, the PHP script can then be executed, allowing access to the remote server under the priviledges of the user PHP is running under.

Affected versions

The problem was found in Coppermine 1.0 RC3, the latest stable release. The latest beta (1.1 beta 2) is not affected according to the author.

Exploit

Copperminer.zip contains Copperminer.jpg.php, the actual exploit.

Upload the exploit onto a vulnerable server and execute it like this:

/albums/userpics/Copperminer.jpg.php?[command]

Where command can be something like "id;uname%20-a" or "cat%20/etc/passwd".

Notes:

1. MSIE will display Copperminer.jpg.php as an image, but lynx willdisplay the output of the command you gave it.
2. http://www.google.com/search?q=allinurl%3A+/upload.php?album=

Timeline

Patch

Can be found at http://www.chezgreg.net/coppermine/.

Links

• Coppermine photo gallery file upload remote compromise exploit.