MonAlbum 0.8.7 SQL Injection

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: MonAlbum 0.8.7 SQL Injection
From: undefined1@xxxxxxxxx
Date: 31 Mar 2006 02:05:18 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

advisory by undefined1_ @ bash-x.net/undef/

Mon Album 0.8.7
http://www.3dsrc.com/monalbum/

There are 2 sql injection flaws in MonAlbum 0.8.7. First in index.php (line 99)
if (isset($_GET["pc"])) $pc = $_GET["pc"];

... (no sanity checks)

if (isset($pc) && $grech_inactive) $result = execute_requete("select id_rub, 
nom, commentaire from monalbum_rubrique where ( nom like \"%$pc%\" or 
commentaire like \"%$pc%\" ) and (id_rub_mere <> 0 and id_rub <> 0) limit " . 
$deb . ", ". ($ghor*$gvert));



The second flaw is located in the comments system in image_agrandir.php (line 
228)
$pnom = $_POST['pnom'];
$pcourriel = $_POST['pcourriel'];
$pcommentaire = $_POST['pcommentaire'];

... (no sanity checks)

execute_requete("insert into monalbum_commentaire (id_image, nom, courriel, 
commentaire, date_com) values ($id_image, \"$pnom\",\"$pcourriel\", 
\"".addslashes($pcommentaire)."\", \"".date("Y-m-d")."\" )");

Prev by Date: Oxygen<=1.x.x SQL injection
Next by Date: Black Hat Call for Papers and Registration now open
Previous by thread: Oxygen<=1.x.x SQL injection
Next by thread: Black Hat Call for Papers and Registration now open
Index(es):
- Date
- Thread