Cross-site Scripting (XSS) - Reflected in coppermine-gallery/cpg1.6.x

Valid

Reported on

May 6th 2021


✍️ Description

Coppermine is vulnerable to XSS attacks on /plugins/upload_h5a/help.php because it doesnt sanitize user supplied parameters as shown below.
Vulnerable variable: t Method: GET
The $styles variable is constructed using the user supplied data, and then is echo in the response.

$styles = '../../themes/'.$_GET['t'].'/style.css';
$hpath = 'help/'.$_GET['g'].'/';
$lang = $_GET['l'];
$hfile = file_exists($hpath.$lang.'.html') ? $lang.'.html' : 'english.html';
?>
<!DOCTYPE html>
<html lang="en">
<head>
<title></title>
<link rel="stylesheet" type="text/css" href="<?php echo $styles; ?>">

🕵️‍♂️ Proof of Concept

In a browser do a request where coppermine is installed, in this case is /cpg16x/:

http://localhost/cpg16x/plugins/upload_h5a/help.php?t=1%22%3E%3Cscript%3Ealert(/XSS/)%3C/script%3E

Observe the XSS.

💥 Impact

According to netsparker:

The impact can  lead to disclosure of sensitive data, CSRF attacks and other security vulnerabilities. By exploiting a cross-site scripting vulnerability an attacker can impersonate the victim and take over the account. If the victim has administrative rights it might even lead to code execution on the server, depending on the application and the privileges of the account
phill104 validated this vulnerability 16 days ago
hitisec has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
phill104 confirmed that a fix has been merged on da17dc 16 days ago
The fix bounty has been dropped
jhond0e
14 days ago

Hello, I just read this report and realized that the vulnerability has not been fixed on your own website. https://coppermine-gallery.net/demo/cpg16x/plugins/upload_h5a/help.php?t=1%22%3E%3Cscript%3Ealert(/XSS/)%3C/script%3E

Have a good day.

to join this conversation