Written By Michael Brooks Special thanks to str0ke! Coppermine Photo gallery - Remote PHP File Upload Affects: v1.4.19 Homepage: http://coppermine-gallery.net/ 5,239,057 downloads from sf.net! For this attack we need register_globals=on . The problem is that the anti-register_globals security can be bypassed. This is in /include/init.inc.php starting on line 42: $keysToSkip = array('_POST', '_GET', '_COOKIE', '_REQUEST', '_SERVER', 'HTML_SUBST'); //... if (is_array($_POST)) { foreach ($_POST as $key => $value) { if (!is_array($value)) $_POST[$key] = strtr($value, $HTML_SUBST); if (!in_array($key, $keysToSkip) && isset($$key) && ini_get('register_globals') == '1') unset($$key); } } if (is_array($_GET)) { foreach ($_GET as $key => $value) { unset($_GET[$key]); $_GET[strtr(stripslashes($key), $HTML_SUBST)] = strtr(stripslashes($value), $HTML_SUBST); if (!in_array($key, $keysToSkip) && isset($$key) && ini_get('register_globals') == '1') unset($$key); } } if (is_array($_COOKIE)) { foreach ($_COOKIE as $key => $value) { if (!in_array($key, $keysToSkip) && isset($$key) && ini_get('register_globals') == '1') unset($$key); } } if (is_array($_REQUEST)) { foreach ($_REQUEST as $key => $value) { if (!is_array($value)) $_REQUEST[$key] = strtr($value, $HTML_SUBST); if (!in_array($key, $keysToSkip) && isset($$key) && ini_get('register_globals') == '1') unset($$key); } } //... Here is a patch that will take care of register_globals. if(ini_get(register_globals)){ foreach(get_defined_vars() as $var=>$val){ //only keep superglobals we need on this whitelist, _SESSION will take care of its self: if(!in_array($var,array('_POST', '_GET', '_COOKIE', '_REQUEST', '_SERVER'))){ unset($$var); } } } These 2 exploits are written in HTM, but they are NOT XSRF! This is a global variable manipulation issue, you can exploit this with CURL or whatever. This will copy www.google.com to http://127.0.0.1/cpg1419/albums/test.php . This is very useful for uploading backdoors. This is hijacking a call to copy() so we need allow_url_fopen=On , which is default.
This request will copy the database connection info and make it readable here: http://10.1.1.155/Audit/cpg1419/albums/dbinfo.txt This attack works with allow_url_fopen=Off
# milw0rm.com [2009-01-29]