CVE-2006-6123 - Coppermine Photo Gallery (CPG) 1.4.8 stable, with register_globals enabled, allows remote attackers

CVE-2006-6123

Summary

Coppermine Photo Gallery (CPG) 1.4.8 stable, with register_globals enabled, allows remote attackers to bypass XSS protection and set arbitrary variables via a query string that causes the variable to be defined in global space, with separate _GET, _REQUEST, or other critical parameters, which are unset by the protection scheme and prevent the original variable from being detected.

References

Vulnerable Configurations

cpe:2.3:a:coppermine:coppermine_photo_gallery:1.4.8_stable:*:*:*:*:*:*:*
cpe:2.3:a:coppermine:coppermine_photo_gallery:1.4.8_stable:*:*:*:*:*:*:*

CVSS

Base:	2.6 (as of 29-07-2017 - 01:29)
Impact:
Exploitability:

CWE

NVD-CWE-Other

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	HIGH	NONE

Impact

Confidentiality	Integrity	Availability
NONE	PARTIAL	NONE

cvss-vector via4

AV:N/AC:H/Au:N/C:N/I:P/A:N

refmap via4

bugtraq	20060623 [KAPDA]Coppermine 1.4.8~Parameter Cleanup System ByPass~Registering Global Varables
confirm	http://svn.sourceforge.net/viewvc/coppermine?view=rev&revision=3133
misc	http://myimei.com/security/2006-06-20/coppermine-148parameter-cleanup-system-bypassregistering-global-varables.html
osvdb	27618
secunia	20597
sreason	1914
xf	coppermine-init-security-bypass(27376)

Last major update

29-07-2017 - 01:29

Published

26-11-2006 - 23:07

Last modified

29-07-2017 - 01:29