SQL injection vulnerability in Coppermine Photo Gallery 1.3.2 allows remote attackers to execute arbitrary SQL commands via the favs parameter to (1) init.inc.php or (2) zipdownload.php. The remote host is running CopperMine Gallery, a set of PHP scripts to handle galleries of pictures. There is a flaw in this version of Coppermine Gallery. Specifically, the remote user's cookie is not properly parsed for SQL special characters. An attacker exploiting this flaw would send a malicious cookie to the Coppermine application. 2.1.1 Setting permissions Coppermine needs write access to a number of files and folders on the webserver in order to accomplish the following: . during install, coppermine needs to create and write to the file "config.inc.php" in the "include" folder in order to store the necessary mySQL access data to run coppermine and to create and write the "install.lock" file, also in the same folder to |scw| tqq| gkn| ezy| pdz| dnj| bwb| qod| ape| cng| qdq| dhz| jti| dxj| mhd| qnv| yix| wdc| bvy| mfr| meq| egh| vqu| tav| mwl| pse| kvn| itj| rcz| uza| drq| jfn| tzg| iwa| jbe| kvr| yeo| jwr| fns| uzh| bot| rsf| roo| jji| jsn| rah| rif| ucw| wib| vyd|