Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zeroscienceGjoko KrsticZSL-2011-4992
HistoryFeb 11, 2011 - 12:00 a.m.

Pixelpost 1.7.3 Multiple POST Variables SQL Injection Vulnerability

2011-02-1100:00:00
Gjoko Krstic
zeroscience.mk
16

6.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

7.5 High

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

23.8%

JSON

Title: Pixelpost 1.7.3 Multiple POST Variables SQL Injection Vulnerability
Advisory ID: ZSL-2011-4992
Type: Local/Remote
Impact: System Access, Exposure of System Information, Exposure of Sensitive Information, Manipulation of Data
Risk: (4/5)
Release Date: 11.02.2011

Summary

Pixelpost is an open-source, standards-compliant, multi-lingual, fully extensible photoblog application for the web. Anyone who has web-space that meets the requirements can download and use Pixelpost for free!

Description

Pixelpost is vulnerable to an SQL Injection attack when input is passed to several POST parameters (findfid, id, selectfcat, selectfmon, selectftag). The script (admin/index.php) fails to properly sanitize the input before being returned to the user allowing the attacker to compromise the entire DB system and view sensitive information.

Vendor

Pixelpost.org - <http://www.pixelpost.org>

Affected Version

1.7.3

Tested On

Microsoft Windows XP Professional SP3 (EN)
Apache 2.2.14 (Win32)
PHP 5.3.1
MySQL 5.1.41

Vendor Status

N/A

PoC

pixelpost_sql.txt

Credits

Vulnerability discovered by Gjoko Krstic - <[email protected]>

References

[1] <http://packetstormsecurity.org/files/98428&gt;
[2] <http://www.exploit-db.com/exploits/16160&gt;
[3] <http://securityreason.com/wlb_show/WLB-2011020049&gt;
[4] <http://www.securityfocus.com/bid/46348&gt;
[5] <https://vulners.com/cve/CVE-2011-1100&gt;
[6] <https://nvd.nist.gov/vuln/detail/CVE-2011-1100&gt;

Changelog

[11.02.2011] - Initial release
[12.02.2011] - Added reference [1], [2] and [3]
[14.02.2011] - Added reference [4]
[25.10.2021] - Added reference [5] and [6]

Contact

Zero Science Lab

Web: <http://www.zeroscience.mk>
e-mail: [email protected]

<html><body><p>--------------------------------------------------------------------

Pixelpost 1.7.3 Multiple POST Variables SQL Injection Vulnerability

Vendor: Pixelpost.org
Product web page: http://www.pixelpost.org
Affected version: 1.7.3

Summary: Pixelpost is an open-source, standards-compliant, multi-lingual,
fully extensible photoblog application for the web. Anyone who has web-space
that meets the requirements can download and use Pixelpost for free!

Desc: Pixelpost is vulnerable to an SQL Injection attack when input is passed
to several POST parameters (findfid, id, selectfcat, selectfmon, selectftag).
The script (admin/index.php) fails to properly sanitize the input before being
returned to the user allowing the attacker to compromise the entire DB system
and view sensitive information.

Tested on: Microsoft Windows XP Professional SP3 (EN)
           Apache 2.2.14 (Win32)
           PHP 5.3.1
           MySQL 5.1.41

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            liquidworm gmail com
                            Zero Science Lab - http://www.zeroscience.mk

Advisory ID: ZSL-2011-4992
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-4992.php


03.02.2011

--------------------------------------------------------------------

Vulnerable variables: 

- findfid
- id
- selectfcat
- selectfmon
- selectftag

Example:

POST /pixelpost_v1.7.3/admin/index.php?view=images HTTP/1.0
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
Host: localhost
Content-Length: 62
Cookie: PHPSESSID=9nqb5cbq1v4si85tidd4gas166;passwordbla=
Connection: Close
Pragma: no-cache

selectfcat=3&amp;selectftag=1&amp;selectfmon=1&amp;findfid=1[SQLi]&amp;findid=Go%21

------

HTTP/1.1 200 OK

You have an error in your SQL syntax; check the manual that corresponds to your
MySQL server version for the right syntax to use near '' limit 0,1' at line 1.

-------</p></body></html>

Related

cvelist 1
prion 1
nvd 1
ubuntucve 1
cve 1
cvelist
cvelist
CVE-2011-1100
2011-02-25 16:00:00
prion
prion
Sql injection
2011-02-25 17:00:00
nvd
nvd
CVE-2011-1100
2011-02-25 17:00:01
ubuntucve
ubuntucve
CVE-2011-1100
2011-02-25 00:00:00
cve
cve
CVE-2011-1100
2011-02-25 17:00:01

6.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

7.5 High

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

23.8%

JSON
Related for ZSL-2011-4992
cvelist1prion1nvd1ubuntucve1cve1