Invision Gallery 2.0.6 ( SQL Injection )

[left]

Invision Gallery  2.0.6 ( SQL Injection )

File   :- modules/gallery/post.php

Line   :- 943

Bug By :- Devil-00

* Welcome Back ( Security4arab ) *

Arabian Security WebSites

www.s4a.cc

www.securitygurus.net

[php]

$this->ipsclass->DB->simple_construct( array( 'select' => 'COUNT(*) AS total', 'from' => 'gallery_images', 'where' => "album_id={$this->ipsclass->input['album']}" ) );

[/php]

$this->ipsclass->input['album'] = Unfilter Input

Exploit :-

Post New Image Then Edit POST Requset By HTTPLiveHeader

album=[SQL]

Fix :-

[php]

$this->ipsclass->DB->simple_construct( array( 'select' => 'COUNT(*) AS total', 'from' => 'gallery_images', 'where' => "album_id={".intval($this->ipsclass->input['album'])."}" ) );

[/php]

[/left]