SQL injection in /rss.php

weweje · March 2010

Hi, rss.php is vulnerable to sql injection via `albumtitle=whatever&albumname=whatever'"`

acrylian · March 2010

I actually don't think as these query parameter values are sanitized via our `sanitize()` function before they are used.

weweje · March 2010

zenphoto version 1.2.9 [5088]

`/rss.php?albumtitle=blah&albumname=zob'"`
>
`
SELECT images.albumid, images.filename AS filename, images.mtime as mtime, images.title AS title, albums.folder AS folder, images.show, albums.show, albums.password FROM zp_images AS images, zp_albums AS albums WHERE albums.folder = 'zob'"' AND images.albumid = albums.id AND images.show=1 AND albums.folder != '' AND albums.show=1 AND albums.folder != '' ORDER BY images.id DESC LIMIT 10
---
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '"' AND images.albumid = albums.id AND images.show=1 AND albums.folder != '' AND' at line 1
`

acrylian · March 2010

But that does no harm if the values make no sense to Zenphoto and just throws that error.

acrylian · March 2010

We double checked that and you are actually right. So fix will be in tonight's nightly.

Zenphoto

Quick Links

Categories

Problems? Lost?

Need project help?

Like using Zenphoto? Donate!

SQL injection in /rss.php

Comments

RSS feeds!

Social networks

Join the Google Group!

Information

Legal stuff