发布日期：2008-04-14
更新日期：2008-04-15

受影响系统：

Coppermine Photo Gallery 1.4.16

不受影响系统：

Coppermine Photo Gallery 1.4.17

描述：

---

BUGTRAQ  ID: 28766

Coppermine是用PHP编写的多用途集成web图形库脚本。

Coppermine的upload.php文件处理用户请求数据时存在输入验证漏洞，远程攻击者可能利用此漏洞执行SQL注入攻击。

在执行URI/URL上传时Coppermine的upload.php文件没有正确地过滤远程HTTP服务器的MIME媒体类型输入，这允许远程攻击者通过操控SQL查询请求执行SQL注入攻击。

<*来源：Coppermine
  
  链接：http://secunia.com/advisories/29795/
        http://forum.coppermine-gallery.net/index.php?action=printpage;topic=51787.0
*>

建议：

---

临时解决方法：

* 在upload.php文件中找到以下行：

                } else {
                    // We will try to get the extension from the database.
                    $MIME_result = cpg_db_query("SELECT extension FROM {$CONFIG['TABLE_FILETYPES']} WHERE mime='$URI_MIME_type'");

                    // Check to see if any results were returned.
                    if (!mysql_num_rows($MIME_result)) {

                        // No results, so free up the resources.
                        mysql_free_result($MIME_result);

                        // We cannot determine an extension from the MIME type provided, so note an error. Reject the file as unsafe.
                        $URI_failure_array[] = array( 'failure_ordinal'=>$failure_ordinal, 'URI_name'=> $_POST['URI_array'][$counter], 'error_code'=>$lang_upload_php['MIME_type_unknown']);

                        // There is no need for further tests or action, so skip the remainder of the iteration.
                        continue;

                    } else {

                        // The was a result. Fetch it.
                        $extension_data = mysql_fetch_array($MIME_result);

                        // Release the resources.
                        mysql_free_result($MIME_result);

                        // Store the extension in $extension.
                        $extension = $extension_data['extension'];
                    }

                }

并替换为：

                } else {
                
                        $extension = '';
                        
                        foreach ($FILE_TYPES as $ext => $typedata){
                        
                            if ($typedata['mime'] == $URI_MIME_type){
                                // Store the extension in $extension.
                                $extension = $ext;
                                break;
                            }
                            
                        }
                        
                        if (!$extension){
                        
                            // We cannot determine an extension from the MIME type provided, so note an error. Reject the file as unsafe.
                            $URI_failure_array[] = array( 'failure_ordinal'=>$failure_ordinal, 'URI_name'=> $_POST['URI_array'][$counter], 'error_code'=>$lang_upload_php['MIME_type_unknown']);
  
                            // There is no need for further tests or action, so skip the remainder of the iteration.
                            continue;
                     
                        }

                }

厂商补丁：

Coppermine
----------
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：

http://downloads.sourceforge.net/coppermine/cpg1.4.18.zip?modtime=1208178518&big_mirror=0

浏览次数：7426
严重程度：0（网友投票）