Coppermine Photo Gallery ZipDownload.PHP SQL Injection Vulnerability

Bugtraq ID:	13289
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	Apr 20 2005 12:00AM
Updated:	Apr 20 2005 12:00AM
Credit:	Janek Vind <[email protected]> is credited with the discovery of this vulnerability.
Vulnerable:	Coppermine Photo Gallery 1.3.2
Not Vulnerable:	Coppermine Photo Gallery 1.3.3

Coppermine Photo Gallery ZipDownload.PHP SQL Injection Vulnerability

Coppermine is prone to an SQL injection vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input before using it in an SQL query.

Successful exploitation could result in a compromise of the application, disclosure or modification of data, or may permit an attacker to exploit vulnerabilities in the underlying database implementation.

Coppermine Photo Gallery ZipDownload.PHP SQL Injection Vulnerability

No exploit is required.

Coppermine Photo Gallery ZipDownload.PHP SQL Injection Vulnerability

Solution:
The vendor has addressed this issue in Coppermine Photo Gallery version 1.3.3.


Coppermine Photo Gallery 1.3.2

• Coppermine cpg1.3.3.zip
  http://prdownloads.sourceforge.net/coppermine/cpg1.3.3.zip?download

Coppermine Photo Gallery ZipDownload.PHP SQL Injection Vulnerability

References:

• Coppermine Photo Gallery Homepage (Coppermine Photo Gallery)
  
• [waraxe-2005-SA#042] - Multiple vulnerabilities in Coppermine Photo Gallery 1.3. (Janek Vind )