cbcvebase.
CVE-2008-0506
published 2008-01-31

CVE-2008-0506: include/imageObjectIM.class.php in Coppermine Photo Gallery (CPG) before 1.4.15, when the ImageMagick picture processing method is configured, allows remote…

PriorityP259medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
58.90%
99.0th percentile
include/imageObjectIM.class.php in Coppermine Photo Gallery (CPG) before 1.4.15, when the ImageMagick picture processing method is configured, allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) quality, (2) angle, or (3) clipval parameter to picEditor.php.

Affected

1 ranges
VendorProductVersion rangeFixed in
copperminecoppermine_photo_gallery<= 1.4.14

Detection & IOCsextracted from sources · hover to see the quote

path/picEditor.php
pathinclude/imageObjectIM.class.php
commandangle=<numeric>+-quiet+1+2;<payload>;#&quality=50&newimage=../../images/<thumb>.jpg
  • Monitor POST requests to picEditor.php containing shell metacharacters (`;`, `|`, `&`) in the `angle`, `quality`, or `clipval` parameters.
  • The Metasploit exploit injects the payload into the `angle` POST parameter using the pattern `<numeric> -quiet 1 2;<cmd>;#` — detect the `-quiet` flag combined with semicolons in that parameter.
  • The exploit uses a path traversal string `../../images/` in the `newimage` POST parameter to reference a valid image file — flag POST requests to picEditor.php containing `../../` in `newimage`.
  • Check for exploitation of the vulnerable functions: imageObject::cropImage, imageObject::rotateImage, imageObject::resizeImage in include/imageObjectIM.class.php and resize_image in include/picmgmt.inc.php — these are the actual exec() call sites.
  • A GET or POST request to picEditor.php that returns a page body matching /Coppermine Picture Editor/i indicates a potentially vulnerable installation.
  • ·The vulnerability is only exploitable when Coppermine Photo Gallery is configured to use the ImageMagick library for picture processing — this is a non-default installation option.
  • ·The payload bad character is a single quote (`'`) because input is passed through PHP's htmlentities — payloads containing single quotes will be broken.
  • ·The exploit requires the attacker to pass several server-side validation steps before reaching the vulnerable exec() call — blind injection attempts that skip validation will fail.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.