CVE-2008-0506
published 2008-01-31CVE-2008-0506: include/imageObjectIM.class.php in Coppermine Photo Gallery (CPG) before 1.4.15, when the ImageMagick picture processing method is configured, allows remote…
PriorityP259medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
58.90%
99.0th percentile
include/imageObjectIM.class.php in Coppermine Photo Gallery (CPG) before 1.4.15, when the ImageMagick picture processing method is configured, allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) quality, (2) angle, or (3) clipval parameter to picEditor.php.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| coppermine | coppermine_photo_gallery | <= 1.4.14 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor POST requests to picEditor.php containing shell metacharacters (`;`, `|`, `&`) in the `angle`, `quality`, or `clipval` parameters. ↗
- →The Metasploit exploit injects the payload into the `angle` POST parameter using the pattern `<numeric> -quiet 1 2;<cmd>;#` — detect the `-quiet` flag combined with semicolons in that parameter. ↗
- →The exploit uses a path traversal string `../../images/` in the `newimage` POST parameter to reference a valid image file — flag POST requests to picEditor.php containing `../../` in `newimage`. ↗
- →Check for exploitation of the vulnerable functions: imageObject::cropImage, imageObject::rotateImage, imageObject::resizeImage in include/imageObjectIM.class.php and resize_image in include/picmgmt.inc.php — these are the actual exec() call sites. ↗
- →A GET or POST request to picEditor.php that returns a page body matching /Coppermine Picture Editor/i indicates a potentially vulnerable installation. ↗
- ·The vulnerability is only exploitable when Coppermine Photo Gallery is configured to use the ImageMagick library for picture processing — this is a non-default installation option. ↗
- ·The payload bad character is a single quote (`'`) because input is passed through PHP's htmlentities — payloads containing single quotes will be broken. ↗
- ·The exploit requires the attacker to pass several server-side validation steps before reaching the vulnerable exec() call — blind injection attempts that skip validation will fail. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Coppermine Photo Gallery 1.4.14 - 'picEditor.php' Command Execution (Metasploit)
exploitdb·2010-07-03
CVE-2008-0506 Coppermine Photo Gallery 1.4.14 - 'picEditor.php' Command Execution (Metasploit)
Coppermine Photo Gallery 1.4.14 - 'picEditor.php' Command Execution (Metasploit)
---
##
# $Id: coppermine_piceditor.rb 9671 2010-07-03 06:21:31Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Coppermine Photo Gallery %q{
This module exploits a vulnerability in the picEditor.php script of Coppermine
Photo Gallery. When configured to use the ImageMagick library, the 'quality', 'angle',
and 'clipval' parameters are not properly escaped before being passed to the PHP
'exec' command.
In order to reach the vulnerable 'exec' call, the
Metasploit
Coppermine Photo Gallery picEditor.php Command Execution
metasploit
Coppermine Photo Gallery picEditor.php Command Execution
Coppermine Photo Gallery picEditor.php Command Execution
This module exploits a vulnerability in the picEditor.php script of Coppermine Photo Gallery versions 1.4.14 and earlier. When configured to use the ImageMagick library, the 'quality', 'angle', and 'clipval' parameters are not properly escaped before being passed to the PHP 'exec' command. In order to reach the vulnerable 'exec' call, the input must pass several validation steps. The vulnerabilities actually reside in the following functions: image_processor.php: rotate_image(...) include/imageObjectIM.class.php: imageObject::cropImage(...) include/imageObjectIM.class.php: imageObject::rotateImage(...) include/imageObjectIM.class.php: imageObject::resizeImage(...) include/picmgmt.inc.php: resize_image(...) NOTE: Use of the ImageMagi
No writeups or analysis indexed.
http://coppermine-gallery.net/forum/index.php?topic=50103.0http://secunia.com/advisories/28682http://www.securityfocus.com/archive/1/487310/100/200/threadedhttp://www.securityfocus.com/bid/27512http://www.securitytracker.com/id?1019286http://www.vupen.com/english/advisories/2008/0367http://www.waraxe.us/advisory-65.htmlhttps://www.exploit-db.com/exploits/5019http://coppermine-gallery.net/forum/index.php?topic=50103.0http://secunia.com/advisories/28682http://www.securityfocus.com/archive/1/487310/100/200/threadedhttp://www.securityfocus.com/bid/27512http://www.securitytracker.com/id?1019286http://www.vupen.com/english/advisories/2008/0367http://www.waraxe.us/advisory-65.htmlhttps://www.exploit-db.com/exploits/5019
2008-01-31
Published