Member
Member
weweje   2010-03-28, 11:41
#1

Hi, rss.php is vulnerable to sql injection via albumtitle=whatever&albumname=whatever'"

Administrator
Administrator
acrylian   2010-03-28, 11:52
#2

I actually don't think as these query parameter values are sanitized via our sanitize() function before they are used.

Member
Member
weweje   2010-03-28, 12:02
#3

zenphoto version 1.2.9 [5088]

/rss.php?albumtitle=blah&albumname=zob'"

`
SELECT images.albumid, images.filename AS filename, images.mtime as mtime, images.title AS title, albums.folder AS folder, images.show, albums.show, albums.password FROM [code]zp_images[/code] AS images, [code]zp_albums[/code] AS albums WHERE albums.folder = 'zob'"' AND images.albumid = albums.id AND images.show=1 AND albums.folder != '' AND albums.show=1 AND albums.folder != '' ORDER BY images.id DESC LIMIT 10


You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '"' AND images.albumid = albums.id AND images.show=1 AND albums.folder != '' AND' at line 1
`

Administrator
Administrator
acrylian   2010-03-28, 12:31
#4

But that does no harm if the values make no sense to Zenphoto and just throws that error.

Administrator
Administrator
acrylian   2010-03-28, 17:12
#5

We double checked that and you are actually right. So fix will be in tonight's nightly.

  
Powered By MyBB, © 2002-2026 MyBB Group.
Made with by Curves UI.