[ORIGINAL ADVISORY:]
http://myimei.com/security/2006-06-11/copperminephotogallery148-addhit-function-sqlinjection-attack.html
HTTP://KAPDA.IR


——-Summary——-
Software: CPG Coppermine Photo Gallery
Software’s Web Site: http://coppermine.sourceforge.net/
Versions: 1.4.8.stable
Class: Remote
Status: Unpatched
Exploit: Available
Solution: Available
Discovered by: imei addmimistrator
Risk Level: Mediume-High
——-Description——-
There is a security flaw in Coppermine Photo Gallery, one of popular photo galleries in internet, that allows attacker perform an SQL INJECTION attack .

Cause of trust to user?s suplied data { user agent and refferer url}, that can have qoutations, malicious people can execute sql commands in process of viewing a picture or probabley other process that gallery provides.
??-See Also??-
include/function.inc.php
function add_hit;
$query = ?INSERT INTO {$CONFIG[?TABLE_HIT_STATS?]}
SET
pid = $pid,
search_phrase = ?$query_term?,
Ip = ?$_SERVER[REMOTE_ADDR]?,
sdate = ?$time?,
referer=?$_SERVER[HTTP_REFERER]?,
browser = ?$browser?,
os = ?$os??;
cpg_db_query($query);
both of marked lines can exploit.
??-Conditions??-
$CONFIG[?hit_details?] should be true. {meet settings of gallery in admin area}
??-Exploit??-
GET /cpg/displayimage.php?album=random&cat=0&pos=-{Not Viewd Image ID} HTTP/1.1
Host: O_O
User-Agent: ?sql commands
Keep-Alive: 300
Cookie: valid login
??-Credit???
Discovered by: imei addmimistrator
addmimistrator(4}gmail(O}com
imei(4}Kapda(O}IR
www.myimei.com
myimei.com/security