by r0t,der4444,cembo,VietMafia

Tuesday, December 13, 2005

PhpWebGallery multiple SQL inj.

PhpWebGallery multiple SQL inj.

Vuln. dicovered by : r0t
Date: 13 dec. 2005
vendor:http://www.phpwebgallery.net/
affected version: 1.5.1 and prior


Product Description:

PhpWebGallery is a image gallery with a simple installation interface and admin pannel. Features : user management, groups, category privacy status, multi-server support (to store your pictures on another Web site), user comments, HTML templates, virtual categories, multilingual support, advanced search tool, rating, random pictures, EXIF and IPTC support...



Vuln. Description:


PhpWebGallery contains a flaw that allows a remote sql injection attacks.Input passed to the "since" "sort_by" "items_number" "search" "image_id" parameter isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code



examples:

/comments.php?keyword=&author=&cat=0&since
=[SQL]

/comments.php?keyword=&author=&cat=0&since
=1&sort_by=[SQL]

/comments.php?keyword=&author=&cat=0&since
=1&sort_by=date&sort_order=descending&items
_number=[SQL]

/category.php?cat=search&search=[SQL]

/picture.php?cat=best_rated&image_id=[SQL]


Solution:
Edit the source code to ensure that input is properly sanitised.

2 Comments:

Anonymous Pierrick LE GALL told...

Hi,

I'm a PhpWebGallery developer. Thanks for your bug notification (I would have liked a notification in the bug tracker http://bugs.phpwebgallery.net ).

I confirm for :

- picture.php : image_id
- comments.php : sort_by
- comments.php : items_number

I do not confirm for :

- comments.php : since (never directly used in queries)
- category.php : search (a quite complex extraction is made on this GET parameter, see include/functions_category.inc.php)

Can you give me an example for the one I do not confirm ?

12:38 PM

 
Anonymous Pierrick LE GALL told...

I've just uploaded release 1.5.2 correcting bug you discovered.

Please, use PhpWebGallery bugtracker next time, bug are corrected faster this way. I've found your bug submission on December 24th (and release 1.5.2 the next day) while you published this blog entry on December 13th, 2005 :-/

12:45 AM

 

Post a Comment

<< Home

 
Copyright (c) 2006 Pridels Sec Crew