[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: MonAlbum 0.8.7 SQL Injection
From: undefined1 () gmail ! com
Date: 2006-03-31 2:05:18
Message-ID: 20060331020518.7036.qmail () securityfocus ! com
[Download RAW message or body]
advisory by undefined1_ @ bash-x.net/undef/
Mon Album 0.8.7
http://www.3dsrc.com/monalbum/
There are 2 sql injection flaws in MonAlbum 0.8.7. First in index.php (line 99)
if (isset($_GET["pc"])) $pc = $_GET["pc"];
... (no sanity checks)
if (isset($pc) && $grech_inactive) $result = execute_requete("select id_rub, nom, \
commentaire from monalbum_rubrique where ( nom like \"%$pc%\" or commentaire like \
\"%$pc%\" ) and (id_rub_mere <> 0 and id_rub <> 0) limit " . $deb . ", ". \
($ghor*$gvert));
The second flaw is located in the comments system in image_agrandir.php (line 228)
$pnom = $_POST['pnom'];
$pcourriel = $_POST['pcourriel'];
$pcommentaire = $_POST['pcommentaire'];
... (no sanity checks)
execute_requete("insert into monalbum_commentaire (id_image, nom, courriel, \
commentaire, date_com) values ($id_image, \"$pnom\",\"$pcourriel\", \
\"".addslashes($pcommentaire)."\", \"".date("Y-m-d")."\" )");
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic