PhotoPost Pro member.php uid Parameter SQL Injection
2005-03-11T05:40:19
ID OSVDB:14679 Type osvdb Reporter Igor Franchuk(sprog@online.ru) Modified 2005-03-11T05:40:19
Description
Vulnerability Description
PhotoPost Pro contains a flaw that may allow a remote attacker to inject arbitrary SQL queries. The issue is due to the 'uid' parameter in the 'member.php' script not being properly sanitized and may allow a remote attacker to inject or manipulate SQL queries.
Solution Description
Upgrade to version 5.01 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.
Short Description
PhotoPost Pro contains a flaw that may allow a remote attacker to inject arbitrary SQL queries. The issue is due to the 'uid' parameter in the 'member.php' script not being properly sanitized and may allow a remote attacker to inject or manipulate SQL queries.
{"type": "osvdb", "published": "2005-03-11T05:40:19", "href": "https://vulners.com/osvdb/OSVDB:14679", "bulletinFamily": "software", "cvss": {"vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/", "score": 7.5}, "viewCount": 4, "edition": 1, "reporter": "Igor Franchuk(sprog@online.ru)", "title": "PhotoPost Pro member.php uid Parameter SQL Injection", "affectedSoftware": [{"operator": "eq", "version": "5.0 RC3", "name": "PhotoPost PHP Pro"}], "enchantments": {"score": {"value": 7.2, "vector": "NONE", "modified": "2017-04-28T13:20:10", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2005-0774"]}, {"type": "nessus", "idList": ["PHOTOPOST_MULTIPLE_VULNS.NASL"]}], "modified": "2017-04-28T13:20:10", "rev": 2}, "vulnersScore": 7.2}, "references": [], "id": "OSVDB:14679", "lastseen": "2017-04-28T13:20:10", "cvelist": ["CVE-2005-0774"], "modified": "2005-03-11T05:40:19", "description": "## Vulnerability Description\nPhotoPost Pro contains a flaw that may allow a remote attacker to inject arbitrary SQL queries. The issue is due to the 'uid' parameter in the 'member.php' script not being properly sanitized and may allow a remote attacker to inject or manipulate SQL queries.\n## Solution Description\nUpgrade to version 5.01 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nPhotoPost Pro contains a flaw that may allow a remote attacker to inject arbitrary SQL queries. The issue is due to the 'uid' parameter in the 'member.php' script not being properly sanitized and may allow a remote attacker to inject or manipulate SQL queries.\n## Manual Testing Notes\nhttp://[victim]/photopost/member.php?ppaction=rpwd&verifykey=0&uid=0%20union%20select%20\"0\",\"yourmail@host.zone\",%20concat(username,\"%20\",%20password)%20from%20users\n## References:\nVendor URL: http://www.photopost.com/\n[Secunia Advisory ID:14576](https://secuniaresearch.flexerasoftware.com/advisories/14576/)\n[Related OSVDB ID: 14680](https://vulners.com/osvdb/OSVDB:14680)\n[Related OSVDB ID: 14681](https://vulners.com/osvdb/OSVDB:14681)\n[Related OSVDB ID: 14682](https://vulners.com/osvdb/OSVDB:14682)\n[Related OSVDB ID: 14683](https://vulners.com/osvdb/OSVDB:14683)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-03/0200.html\nISS X-Force ID: 19675\n[CVE-2005-0774](https://vulners.com/cve/CVE-2005-0774)\nBugtraq ID: 12779\n"}
{"cve": [{"lastseen": "2021-02-02T05:24:35", "description": "SQL injection vulnerability in member.php and possibly other scripts in PhotoPost PHP 5.0 RC3 allows remote attackers to execute arbitrary SQL commands via the uid parameter.", "edition": 4, "cvss3": {}, "published": "2005-03-10T05:00:00", "title": "CVE-2005-0774", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": true, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2005-0774"], "modified": "2017-07-11T01:32:00", "cpe": ["cpe:/a:photopost:photopost_php_pro:5.0_rc3"], "id": "CVE-2005-0774", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0774", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:photopost:photopost_php_pro:5.0_rc3:*:*:*:*:*:*:*"]}], "nessus": [{"lastseen": "2021-01-20T13:25:43", "description": "According to its banner, the version of PhotoPost PHP installed on the\nremote host has several vulnerabilities:\n\n - An Access Validation Vulnerability.\n The 'adm-photo.php' script fails to verify authentication\n credentials, which allows an attacker to change the \n properties of thumbnails of uploaded images.\n\n - A SQL Injection Vulnerability.\n The 'uid' parameter in the 'member.php' script is not \n properly sanitized before use in SQL queries. An\n attacker can leverage this flaw to disclose or modify\n sensitive information or perhaps even launch attacks\n against the underlying database implementation.\n\n - A Cross-site Scripting (XSS) Vulnerability.\n The 'editbio' parameter of the user profile form is not sanitized\n properly, allowing an attacker to inject arbitrary script or\n HTML in a user's browser in the context of the affected website, \n resulting in theft of authentication data or other such attacks.", "edition": 27, "published": "2005-03-11T00:00:00", "title": "PhotoPost PHP < 5.0.1 Multiple Remote Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2005-0776", "CVE-2005-1629", "CVE-2005-0775", "CVE-2005-0778", "CVE-2005-0774", "CVE-2005-0777"], "modified": "2005-03-11T00:00:00", "cpe": ["cpe:/a:photopost:photopost_php_pro", "cpe:/a:photopost:photopost_php"], "id": "PHOTOPOST_MULTIPLE_VULNS.NASL", "href": "https://www.tenable.com/plugins/nessus/17314", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(17314);\n script_version(\"1.24\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2005-0774\", \"CVE-2005-0775\", \"CVE-2005-0776\", \"CVE-2005-0777\", \"CVE-2005-0778\", \"CVE-2005-1629\");\n script_bugtraq_id(12779, 13620);\n\n script_name(english:\"PhotoPost PHP < 5.0.1 Multiple Remote Vulnerabilities\");\n script_summary(english:\"Checks for multiple remote vulnerabilities in PhotoPost PHP 5.0 RC3 and older\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a PHP application that is affected by\nseveral vulnerabilities.\" );\n script_set_attribute(attribute:\"description\", value:\n\"According to its banner, the version of PhotoPost PHP installed on the\nremote host has several vulnerabilities:\n\n - An Access Validation Vulnerability.\n The 'adm-photo.php' script fails to verify authentication\n credentials, which allows an attacker to change the \n properties of thumbnails of uploaded images.\n\n - A SQL Injection Vulnerability.\n The 'uid' parameter in the 'member.php' script is not \n properly sanitized before use in SQL queries. An\n attacker can leverage this flaw to disclose or modify\n sensitive information or perhaps even launch attacks\n against the underlying database implementation.\n\n - A Cross-site Scripting (XSS) Vulnerability.\n The 'editbio' parameter of the user profile form is not sanitized\n properly, allowing an attacker to inject arbitrary script or\n HTML in a user's browser in the context of the affected website, \n resulting in theft of authentication data or other such attacks.\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2005/Mar/213\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/fulldisclosure/2005/May/311\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to PhotoPost PHP version 5.01 or later.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2005/03/11\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2005/03/11\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:photopost:photopost_php\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:photopost:photopost_php_pro\");\n script_end_attributes();\n \n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2005-2021 Tenable Network Security, Inc.\");\n\n script_dependencies(\"photopost_detect.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/photopost\");\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\n\nport = get_http_port(default:80);\nif (!can_host_php(port:port)) exit(0);\n\n\n# Test an install.\ninstall = get_kb_item(string(\"www/\", port, \"/photopost\"));\nif (isnull(install)) exit(0);\nmatches = eregmatch(string:install, pattern:\"^(.+) under (/.*)$\");\nif (!isnull(matches)) {\n ver = matches[1];\n\n if (ver =~ \"^[0-4].*|5\\.0[^0-9]?|5\\.0rc[123]$\")\n {\n security_hole(port);\n set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);\n set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);\n }\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
