‘Photopost PHP Pro SQL Injection Vulnerability’

Summary

PhotoPost PHP Pro ‘lets your users upload and discuss photos in galleries that you create as well as public and private albums that they create, and it integrates seamlessly into your current site design.’

There is a flaw in Photopost PHP Pro that allows an attacker to disclose sensitive information that could be used to gain unauthorized access.’

Credit:

‘The information has been provided by G00db0y of Zone-H security
The original article can be found at: http://www.zone-h.org/en/advisories/read/id=3844/


Details

Vulnerable Systems:
 * Photopost PHP Pro version 4.6 and prior

The problems exist due to insufficient sanitization of user-supplied data. A remote attack could exploit these issues and inject other SQL queries which might disclose sensitive information.

Example:
http://address/directory/showphoto.php?photo=[query]

Patch Availability:
The vendor has been contacted and a patch is available.’

Categories: News