SECUNIA ADVISORY ID: SA35144

VERIFY ADVISORY: http://secunia.com/advisories/35144/

CRITICAL: Moderately Critical

DESCRIPTION: girex has discovered some vulnerabilities in Coppermine Photo Gallery, which can be exploited by malicious people to conduct SQL injection attacks, disclose sensitive information, or potentially compromise a vulnerable system. The vulnerabilities are confirmed in version 1.4.22. Other versions may also be affected.

1) Input passed via the "GLOBALS[cat]" parameter in thumbnails.php (if "album" is set to "alpha") is not properly sanitised before being used in an SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Successful exploitation requires that "magic_quotes_gpc" is disabled and "register_globals" is enabled.

2) Input passed to the "GLOBALS[USER][lang]" parameter is not properly sanitised before being used to includes files. This can be exploited to include arbitrary files from local resources via a specially crafted request containing directory traversal sequences and a URL-encoded NULL byte. Successful exploitation allows execution of arbitrary PHP code, but requires privileges to upload files, and that "magic_quotes_gpc" is disabled and "register_globals" is enabled.

SOLUTION: Set "magic_quotes_gpc" to "On" and "register_globals" to "Off".

PROVIDED AND/OR DISCOVERED BY: girex

ORIGINAL ADVISORY: http://milw0rm.com/exploits/8713