[VIM] Coppermine Photo Gallery RFI Issues

George A. Theall theall at tenablesecurity.com
Thu May 31 14:26:27 UTC 2007

Last march, Hasadya Raed reported some remote file include issues in 
Coppermine Photo Gallery:


And the issues made it into various VDBs (eg, CVE-2007-1414, OSVDB 

I've only checked a couple of the issues, but none look valid. For 
example, looking at both 1.4.10 (which is and was current in March) as 
well as 1.4.3, I see:

   o Many scripts call near their start include/init.inc.php,
     which sanitizes parameters and unregisters any global
     variables that might have been registered.
   o image_processor.php uses $cmd in various calls to exec(),
     not include / require functions, but there's no way for
     an attacker to control it, at least by a 'cmd' parameter.
   o include/functions.php contains only function definitions.
   o include/picmgmt.inc.php and include/plugin_api.inc.php
     can't be called directly.

Has anyone actually been able to verify any of the vulnerabilites in any 
version of the software? Or is this just another case of grep-n-gripe?

theall at tenablesecurity.com

More information about the VIM mailing list