Invision Gallery 2.0.6 ( SQL Injection ) May 02 2006 02:35PM
o y 6 hotmail com
[left]

Invision Gallery 2.0.6 ( SQL Injection )

File :- modules/gallery/post.php

Line :- 943

Bug By :- Devil-00

* Welcome Back ( Security4arab ) *

Arabian Security WebSites

www.s4a.cc

www.securitygurus.net

[php]

$this->ipsclass->DB->simple_construct( array( 'select' => 'COUNT(*) AS total', 'from' => 'gallery_images', 'where' => "album_id={$this->ipsclass->input['album']}" ) );

[/php]

$this->ipsclass->input['album'] = Unfilter Input

Exploit :-

Post New Image Then Edit POST Requset By HTTPLiveHeader

album=[SQL]

Fix :-

[php]

$this->ipsclass->DB->simple_construct( array( 'select' => 'COUNT(*) AS total', 'from' => 'gallery_images', 'where' => "album_id={".intval($this->ipsclass->input['album'])."}" ) );

[/php]

[/left]

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus