CVE-2008-3486
published 2008-08-06CVE-2008-3486: Directory traversal vulnerability in the user_get_profile function in include/functions.inc.php in Coppermine Photo Gallery (CPG) 1.4.18 and earlier, when the…
PriorityP350high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
6.30%
92.7th percentile
Directory traversal vulnerability in the user_get_profile function in include/functions.inc.php in Coppermine Photo Gallery (CPG) 1.4.18 and earlier, when the charset is utf-8, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the lang part of serialized data in an _data cookie.
Affected
26 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| coppermine-gallery | coppermine_photo_gallery | <= 1.4.18 | — |
| coppermine-gallery | coppermine_photo_gallery | — | — |
| coppermine-gallery | coppermine_photo_gallery | — | — |
| coppermine-gallery | coppermine_photo_gallery | — | — |
| coppermine-gallery | coppermine_photo_gallery | — | — |
| coppermine-gallery | coppermine_photo_gallery | — | — |
| coppermine-gallery | coppermine_photo_gallery | — | — |
| coppermine-gallery | coppermine_photo_gallery | — | — |
| coppermine-gallery | coppermine_photo_gallery | — | — |
| coppermine-gallery | coppermine_photo_gallery | — | — |
| coppermine-gallery | coppermine_photo_gallery | — | — |
| coppermine-gallery | coppermine_photo_gallery | — | — |
| coppermine-gallery | coppermine_photo_gallery | — | — |
| coppermine-gallery | coppermine_photo_gallery | — | — |
| coppermine-gallery | coppermine_photo_gallery | — | — |
| coppermine-gallery | coppermine_photo_gallery | — | — |
| coppermine-gallery | coppermine_photo_gallery | — | — |
| coppermine-gallery | coppermine_photo_gallery | — | — |
| coppermine-gallery | coppermine_photo_gallery | — | — |
| coppermine-gallery | coppermine_photo_gallery | — | — |
| coppermine-gallery | coppermine_photo_gallery | — | — |
| coppermine-gallery | coppermine_photo_gallery | — | — |
| coppermine-gallery | coppermine_photo_gallery | — | — |
| coppermine-gallery | coppermine_photo_gallery | — | — |
| coppermine-gallery | coppermine_photo_gallery | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
SmarterMail 7.1.3876 - Directory Traversal
exploitdb·2010-09-19
CVE-2010-3486 SmarterMail 7.1.3876 - Directory Traversal
SmarterMail 7.1.3876 - Directory Traversal
---
# Note: Fixed by the vendor in version 7.2.3925
# http://www.smartertools.com/smartermail/releasenotes/v7.aspx
Vendor: smartertools.com SmarterMail 7.x (7.1.3876) | Bug : Directory
Traversal, OS Command Injection, Other Critcal Vulns
########################################################################
# Vendor: smartertools.com SmarterMail 7.x (7.1.3876)
# Date: 2010-09-12
# Author : sqlhacker – http://cloudscan.me
# Thanks to : Burp Suite Pro - engagement tool
# : FuzzDB
# Contact : [email protected]
# Home : http://cloudscan.me
# Dork : insite: SmarterMail Enterprise 7.1
# Bug : Directory Traversal, OS Command Injection, Other Critcal Vulns
# Tested on : SmarterMail 7.x (7.1.3876) // Windows 2008 /64/R2
# Vendor Contact - August 14, 2
Exploit-DB
Coppermine Photo Gallery 1.4.18 - Local File Inclusion / Remote Code Execution
exploitdb·2008-07-31
CVE-2008-3486 Coppermine Photo Gallery 1.4.18 - Local File Inclusion / Remote Code Execution
Coppermine Photo Gallery 1.4.18 - Local File Inclusion / Remote Code Execution
---
authenticate();
[...]
301. // Process language selection if present in URI or in user profile or try
302. // autodetection if default charset is utf-8
303. if (!empty($_GET['lang']))
304. {
305. $USER['lang'] = ereg("^[a-z0-9_-]*$", $_GET['lang']) ? $_GET['lang'] : $CONFIG['lang'];
306. }
307.
308. if (isset($USER['lang']) && !strstr($USER['lang'], '/') && file_exists('lang/' . $USER['lang'] . '.php'))
309. {
310. $CONFIG['default_lang'] = $CONFIG['lang']; // Save default language
311. $CONFIG['lang'] = strtr($USER['lang'], '$/\\:*?"\'<>|`', '____________');
312. }
313. elseif ($CONFIG['charset'] == 'utf-8') (.*)themes/", http_send($host, $packet), $match);
$path_disc = $match[1];
}
function get_logs()
No writeups or analysis indexed.
http://secunia.com/advisories/31295http://securityreason.com/securityalert/4108http://www.securityfocus.com/bid/30480https://exchange.xforce.ibmcloud.com/vulnerabilities/44133https://www.exploit-db.com/exploits/6178http://secunia.com/advisories/31295http://securityreason.com/securityalert/4108http://www.securityfocus.com/bid/30480https://exchange.xforce.ibmcloud.com/vulnerabilities/44133https://www.exploit-db.com/exploits/6178
2008-08-06
Published