SelectaPix admin/member.php Multiple Variable SQL Injection

2006-06-09T03:34:08
ID OSVDB:26246
Type osvdb
Reporter Andreas Sandblad(as@secunia.com)
Modified 2006-06-09T03:34:08

Description

Vulnerability Description

SelectaPix Image Gallery contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the admin/member.php script not properly sanitizing user-supplied input to the 'username' or 'password' variables. This may allow an attacker to inject or manipulate SQL queries in the backend database.

Solution Description

Upgrade to version 1.4 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

SelectaPix Image Gallery contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the admin/member.php script not properly sanitizing user-supplied input to the 'username' or 'password' variables. This may allow an attacker to inject or manipulate SQL queries in the backend database.

References:

Vendor URL: http://www.outofthetrees.co.uk/selectapix/index.php Secunia Advisory ID:20134 Related OSVDB ID: 26245 Related OSVDB ID: 26244 Related OSVDB ID: 26247 Related OSVDB ID: 26243 Other Advisory URL: http://secunia.com/secunia_research/2006-39/advisory/ Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-06/0109.html CVE-2006-2912