FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

coppermine -- "file" Local File Inclusion Vulnerability

Affected packages
coppermine < 1.4.5

Details

VuXML ID 6738977b-e9a5-11da-b9f4-00123ffe8333
Discovery 2006-04-19
Entry 2006-05-22

Secunia reports:

Coppermine Photo Gallery have a vulnerability, which can be exploited by malicious people to disclose sensitive information.

Input passed to the "file" parameter in "index.php" isn't properly verified, before it is used to include files. This can be exploited to include arbitrary files from local resources.

Example: http://[host]/index.php?file=.//././/././/././/./[file]%00

Successful exploitation requires that "magic_quotes_gpc" is disabled.

References

CVE Name CVE-2006-1909
URL http://coppermine-gallery.net/forum/index.php?topic=30655.0
URL http://myimei.com/security/2006-04-14/copperminephotogallery144-plugininclusionsystemindexphp-remotefileinclusion-attack.html
URL http://secunia.com/advisories/19665/