Eskimo North

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CopperMine Vulnerability - Eskimo's Website

     Today at 9:45 AM, someone exploited a flaw in my CopperMine photo gallery
on my personal page and executed a script that tacked in an <iframe> to all of
the web pages I had write access to in the main directory which included more
than 1200 pages.

     I wrote a similar script to remove from all the affected pages, but users
who have Coppermine on their website and allow public uploads are open to this
same exploit except that it may not affect them because it isn't smart enough
to look in user directorys when writing files even though it was a user
directory file it exploited.  In my case though since most of the system web
pages are writable by me, it was a bad thing.

     The iframe included a website in the Ukraine that served up a delicious
virus that exploited some web browsers.  This hack did not affect any web
browsers that properly honor the closing </html> tag because the include was
placed after the closing </html> tag.  It appears that the current Firefox is
not exploitable, the current Explorer is, and I don't know with respect to
Safari and Opera.

     I didn't have the current version of CopperMine installed, but the bad
news is that even the very most current 1.4.16 stable release of CopperMine
remains exploitable (I tested after the upgrade).

     The only fix at this time is to DISABLE UPLOADS for anyone but yourself to
Coppermine.  THe problem really is a fundamental design flaw in CopperMine and
will take significant logic changes to fix.

     Coppermine uploads to the directory where the image will finally reside
when a user uploads a file.  Even though the upload code will find that it's
not a legitimate image, and tell you it can't place the file, it still leaves
the file in that directory.

     An attacker can figure out the full path to that directory by first
uploading a legitimate image to the same directory; and since CopperMine
doesn't change the filename when you upload it, they then know the full path to
their just uploaded file which is a PHP script and can execute it in their
browser.  It then very efficiently goes through your web servers home page
hiearchy and alters any files that you have write access to.

     What's more, if it can access the config script (which unfortunately it
was able to on my site) it also alters the config to include that file as a
default header in the themes so it will get re-executed everytime someone
displays a page.  The name of the file was and
142739_298w3.jpg, both were uploaded but it was really the latter that was used
since zip wasn't setup to automatically execute.  This really looks like a
machine generated name and is probably a function of the virus so it may be
named differently on your box.  It will end up in one of the album

 Eskimo North Linux Friendly Internet Access, Shell Accounts, and Hosting.
   Knowledgable human assistance, not telephone trees or script readers.
 See our web site: (206) 812-0051 or (800) 246-6874.