Security Advisory: File Inclusion & Command Execution Security Advisory: File Inclusion & Command Execution
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

Security Advisory: File Inclusion & Command Execution

Started by cdobbs, February 05, 2007, 04:02:02 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages1
User actions

Hein Traag

#1
February 05, 2007, 04:36:09 PM
Thanks for bringing this to our attention cdobbs.

The content of the message is:

QuoteDescription:
Some vulnerabilities have been discovered in Coppermine Photo Gallery, which can be exploited by malicious users to disclose sensitive information and to compromise vulnerable systems.

1) Input passed to the form fields "Path to custom header include" and "Path to custom footer include" in admin.php is not properly verified before being used to include files. This can be exploited to include arbitrary files from local resources and potentially also from external resources.

2) Input passed to the form field "Command line options for ImageMagick" in admin.php is not properly sanitised before being used as an option to ImageMagick's "convert" command. This can be exploited to inject arbitrary shell commands via the ";" character.

Successful exploitation of either vulnerability requires valid administrator credentials.

The vulnerabilities are confirmed in version 1.4.10. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly verified and sanitised.

Provided and/or discovered by:
Site developer and an anonymous person

Anything we need to worry about ?

Regards,
Hein

Joachim Müller

#2
February 05, 2007, 07:24:03 PM
Quote1) Input passed to the form fields "Path to custom header include" and "Path to custom footer include" in admin.php is not properly verified before being used to include files. This can be exploited to include arbitrary files from local resources and potentially also from external resources.
Both forms reside on admin-only screens. If someone has admin access, there are of course no further checks, as you can't expect an admin to perform XSS on his own site, simply because there are easier methods to bring down your site. Imo this is a bogus report.

Quote2) Input passed to the form field "Command line options for ImageMagick" in admin.php is not properly sanitised before being used as an option to ImageMagick's "convert" command. This can be exploited to inject arbitrary shell commands via the ";" character.
Basically the very same thing I said above applies as well - the form field in question is on an admin-only page. A malevolent attacker would have to get admin powers in the first place to be able to execute dangerous code.

Imo those so-called "vulnerabilities" have been detected using generic vulnerability-detection scripts that have been run against Coppermine's code without further investigation.

Imagine a similar report for Linux "Warning, user can perform the dd command to destroy the content of the hard drive when logged in as root". Is this surprising? Or "Warning: cars can hit walls unexpectedly when driven at high speeds by drunken drivers without a license and the headlights turned off in the dark".

Bottom line: nothing to be worried about imo.

mattbta

#3
February 06, 2007, 12:01:58 AM
Good to know this is a non-issue as I got the same alert from secunia.

Cheers.
Print
Go Up Pages1
User actions