|
|
Family: CGI abuses --> Category: attack
PhotoPost Multiple Input Validation Vulnerabilities Vulnerability Scan
Vulnerability Scan Summary
Checks for multiple input validation vulnerabilities in PhotoPost PHP
Detailed Explanation for this Vulnerability Test
Synopsis :
The remote web server contains a PHP application that is affected by
several vulnerabilities.
Description :
The version of PhotoPost PHP installed on the remote host is prone to
multiple input validation vulnerabilities:
o Multiple SQL Injection Vulnerabilities
The application fails to properly sanitize user-input via
the 'sl' parameter of the 'showmembers.php' script, and
the 'photo' parameter of the 'showphoto.php' script. An
attacker can exploit these flaws to manipulate SQL
queries, possibly destroying or revealing sensitive data.
o Multiple Cross-Site Scripting Vulnerabilities
The application fails to properly sanitize user-input via
the 'photo' parameter of the 'slideshow.php' script, the
'cat', 'password', 'si', 'ppuser', and 'sort' parameters
of the 'showgallery.php' script, and the 'ppuser', 'sort',
and 'si' parameters of the 'showmembers.php' script.
A possible hacker can exploit these flaws to inject arbitrary
HTML or code script in a user's browser in the context of
the affected web site, resulting in theft of
authentication data or other such attacks.
See also :
http://archives.neohapsis.com/archives/bugtraq/2005-03/0471.html
Solution :
The issues are reportedly fixed by upgrading to PhotoPost PHP version
5.1.
Threat Level:
Medium / CVSS Base Score : 5
(AV:R/AC:L/Au:NR/C:P/A:N/I:P/B:N)
Click HERE for more information and discussions on this network vulnerability scan.
|
