Computer Security

Security Advisory: MonAlbum 0.8.7 SQL Injection
back  news / advisories / forum / software / advertising / search / exploits  forward
[EN] securityvulns.ru
no-pyccku



Related information

  Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)

  [SA19453] v-creator VCEngine.php Shell Command Injection Vulnerability

  [SA19483] Groupmax World Wide Web Cross-Site Scripting Vulnerability

  Oxygen<=1.x.x SQL injection

  MediaSlash Gallery 'rub' variable  Remote File inlcusion Vulnerability

From:undefined1_(at)_gmail.com <undefined1_(at)_gmail.com>
Date:31.03.2006
Subject:MonAlbum 0.8.7 SQL Injection

advisory by undefined1_ @ bash-x.net/undef/

Mon Album 0.8.7
http://www.3dsrc.com/monalbum/

There are 2 sql injection flaws in MonAlbum 0.8.7. First in index.php (line 99)
if (isset($_GET["pc"])) $pc = $_GET["pc"];

... (no sanity checks)

if (isset($pc) && $grech_inactive) $result = execute_requete("select id_rub, nom, commentaire from monalbum_rubrique where ( nom like \"%$pc%\" or commentaire like \"%$pc%\" ) and (id_rub_mere <> 0 and id_rub <> 0) limit " . $deb . ", ". ($ghor*$gvert));



The second flaw is located in the comments system in image_agrandir.php (line 228)
$pnom = $_POST['pnom'];
$pcourriel = $_POST['pcourriel'];
$pcommentaire = $_POST['pcommentaire'];

... (no sanity checks)

execute_requete("insert into monalbum_commentaire (id_image, nom, courriel, commentaire, date_com) values ($id_image, \"$pnom\",\"$pcourriel\", \"".addslashes($pcommentaire)."\", \"".date("Y-m-d")."\" )");

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod

 
 


Rating@Mail.ru