MonAlbum 0.8.7 SQL Injection

2006.04.01
Credit: undefined1
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-89


CVSS Base Score: 6.4/10
Impact Subscore: 4.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: None

advisory by undefined1_ @ bash-x.net/undef/ Mon Album 0.8.7 http://www.3dsrc.com/monalbum/ There are 2 sql injection flaws in MonAlbum 0.8.7. First in index.php (line 99) if (isset($_GET["pc"])) $pc = $_GET["pc"]; ... (no sanity checks) if (isset($pc) && $grech_inactive) $result = execute_requete("select id_rub, nom, commentaire from monalbum_rubrique where ( nom like "%$pc%" or commentaire like "%$pc%" ) and (id_rub_mere <> 0 and id_rub <> 0) limit " . $deb . ", ". ($ghor*$gvert)); The second flaw is located in the comments system in image_agrandir.php (line 228) $pnom = $_POST['pnom']; $pcourriel = $_POST['pcourriel']; $pcommentaire = $_POST['pcommentaire']; ... (no sanity checks) execute_requete("insert into monalbum_commentaire (id_image, nom, courriel, commentaire, date_com) values ($id_image, "$pnom","$pcourriel", "".addslashes($pcommentaire)."", "".date("Y-m-d")."" )");


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2023, cxsecurity.com

 

Back to Top