[VIM] Coppermine Photo Gallery 1.5.x Remote Command Execution

George A. Theall theall at tenable.com
Wed Feb 9 10:35:11 CST 2011

Exploit DB 16142 / Bugtraq 46288 cover a remote command execution  
issue in Coppermine Photo Gallery 1.5.x reported by Sn!pEr.S!Te.  This  
person's success record has been rather spotty in the past, and this  
one seems just as bogus. Here's the code from include/picmgmt.inc.php  
in 1.5.12:

                                      ----- snip, snip, snip -----
   if (!defined('IN_COPPERMINE')) { die('Not in Coppermine...');}
   function resize_image($src_file, $dest_file, $new_size, $method,  
$thumb_use, $watermark="false", $sharpen=0, $media_type="false")
                         if ($superCage->env->getMatched('OS', '/win/ 
i')) {
                           $cmd = "\"".str_replace("\\","/",  
$CONFIG['impath'])."convert\" -resize ".$wm_resize."% ".str_replace("\ 
\","/" ,$CONFIG['watermark_file'] )." ".str_replace("\\","/" , 
$path_to_tmp_wm );
                           exec ("\"$cmd\"", $output, $retval);
                                      ----- snip, snip, snip -----

The 'IN_COPPERMINE' check occurs in the first non-comment line after  
the initial PHP opening tag so right from the start, we can see that  
the issue can't be exploited as Sn!pEr.S!Te claims.

Also, the 'exec()' call that's supposedly affected occurs in a  
function definition and the file basically just holds function calls;  
there's no way to call the affected 'resize_image()' function by  
requesting picmgmt.inc.php.

And finally, the 'output' and 'retval' parameters actually appear in  
the 'exec()' call as the 2nd and 3rd args, not part of the first as Sn! 
pEr.S!Te claims. This difference is significant, as PHP uses those  
parameter values to store the output of the command and its return  
value respectively; they are not simply appended to the command and  
passed to a shell.

theall at tenablesecurity.com

More information about the VIM mailing list