CVE-2008-7187
https://notcve.org/view.php?id=CVE-2008-7187
Coppermine Photo Gallery (CPG) 1.4.14 allows remote attackers to obtain sensitive information via a direct request to include/slideshow.inc.php, which leaks the installation path in an error message. Coppermine Photo Gallery (CPG) v1.4.14, permite a atacantes remoto obtener información sensible a través de una petición directa a include/slideshow.inc.php, filtrando el directorio de instalación en un mensaje de error. • http://www.securityfocus.com/archive/1/487351/100/200/threaded http://www.securitytracker.com/id?1019285 http://www.vupen.com/english/advisories/2008/0367 http://www.waraxe.us/advisory-66.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2008-3486 – Coppermine Photo Gallery 1.4.18 - Local File Inclusion / Remote Code Execution
https://notcve.org/view.php?id=CVE-2008-3486
Directory traversal vulnerability in the user_get_profile function in include/functions.inc.php in Coppermine Photo Gallery (CPG) 1.4.18 and earlier, when the charset is utf-8, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the lang part of serialized data in an _data cookie. Vulnerabilidad de salto de directorio en la función user_get_profile de include/functions.inc.php en Coppermine Photo Gallery (CPG) 1.4.18 y versiones anteriores, cuando el conjunto de caracteres es utf-8, permite a atacantes remotos incluir y ejecutar ficheros locales de su elección a través de .. (punto punto) en la parte lang de series de datos en una cookie an_data. • https://www.exploit-db.com/exploits/6178 http://secunia.com/advisories/31295 http://securityreason.com/securityalert/4108 http://www.securityfocus.com/bid/30480 https://exchange.xforce.ibmcloud.com/vulnerabilities/44133 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2008-3481 – Coppermine Photo Gallery 1.4.18 - Local File Inclusion / Remote Code Execution
https://notcve.org/view.php?id=CVE-2008-3481
themes/sample/theme.php in Coppermine Photo Gallery (CPG) 1.4.18 and earlier allows remote attackers to obtain sensitive information via a direct request, which reveals the installation path in an error message. themes/sample/theme.php en Coppermine Photo Gallery (CPG) 1.4.18 y versiones anteriores que permite a los atacantes remotos obtener información sensible a través de peticiones directas, que revelan la ruta de instalación en un mensaje de error. • https://www.exploit-db.com/exploits/6178 http://securityreason.com/securityalert/4108 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2008-1840
https://notcve.org/view.php?id=CVE-2008-1840
SQL injection vulnerability in upload.php in Coppermine Photo Gallery (CPG) 1.4.16 and earlier allows remote authenticated users or user-assisted remote HTTP servers to execute arbitrary SQL commands via the Content-Type HTTP response header provided by the HTTP server that is used for an upload. Vulnerabilidad de inyección SQL en upload.php de Coppermine Photo Gallery (CPG) 1.4.16 y anteriores; permite a usuarios autenticados en remoto o a servidores HTTP asistidos por el usuario, ejecutar comandos SQL de su elección a través de la cabecera de respuesta HTTP Content-Type proporcionada por el servidor HTTP que se utiliza para una actualización. • http://forum.coppermine-gallery.net/index.php/topic%2C51787%2C0.html http://secunia.com/advisories/29795 http://sourceforge.net/project/shownotes.php?group_id=89658&release_id=592069 http://www.osvdb.org/44345 http://www.securityfocus.com/bid/28766 https://exchange.xforce.ibmcloud.com/vulnerabilities/41784 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2008-1841
https://notcve.org/view.php?id=CVE-2008-1841
SQL injection vulnerability in the session handling functionality in bridge/coppermine.inc.php in Coppermine Photo Gallery (CPG) 1.4.17 and earlier allows remote attackers to execute arbitrary SQL commands via an input field associated with the session_id variable, as exploited in the wild in April 2008. NOTE: the fix for CVE-2008-1840 was intended to address this vulnerability, but is actually inapplicable. Vulnerabilidad de inyección SQL en la funcionalidad de manejo de sesión en bridge/coppermine.inc.php de Coppermine Photo Gallery (CPG) 1.4.17 y versiones anteriores permite a atacantes remotos ejecutar comandos SQL de su elección a través de un campo de entrada asociado con la variable session_id, tal y como se realiza en exploits públicos desde Abril del 2008. NOTA: el parche para CVE-2008-1840 tenía el propósito de abordar esta vulnerabilidad, pero es actualmente inaplicable. • http://coppermine.svn.sourceforge.net/viewvc/coppermine/trunk/cpg1.4.x/bridge/coppermine.inc.php?r1=4380&r2=4381 http://coppermine.svn.sourceforge.net/viewvc/coppermine/trunk/cpg1.4.x/bridge/coppermine.inc.php?view=log http://forum.coppermine-gallery.net/index.php/topic%2C51882.0.html http://secunia.com/advisories/29741 http://sourceforge.net/project/shownotes.php?group_id=89658&release_id=592069 http://www.securityfocus.com/bid/28767 https://exchange.xforce.ibmcloud.com/vulnerabilities/41788 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •