| VID |
21915 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The Pixelpost program is vulnerable to multiple SQL injection vulnerabilities which exist in versions 1-5rc1-2 and earlier. Pixelpost is a photo BLOG application based on PHP and MySQL. Pixelpost versions 1-5rc1-2 and earlier are vulnerable to multiple SQL injection vulnerabilities, caused by improper filtering of user-supplied input passed to the category and archivedate parameters of the index.php script. If PHP's 'magic_quotes_gpc' setting is disabled, these vulnerabilities could permit a remote attacker to pass malicious input to database queries, potentially resulting in data exposure, modification of the query logic, or even data modification or attacks against the database itself.
* References:
http://forum.pixelpost.org/showthread.php?t=4331
http://www.securityfocus.com/archive/1/435856/30/60/threaded
http://retrogod.altervista.org/pixelpost_15rc12_xpl.html
http://securitytracker.com/id?1016217
http://www.milw0rm.com/exploits/1868
* Platforms Affected:
Pixelpost versions 1-5rc1-2 and earlier
Any operating system Any version |
| Recommendation |
Apply the patches as listed in the Pixelpost Forum Web site at http://forum.pixelpost.org/showthread.php?t=4331
-- OR --
Upgrade to a version of Pixelpost greater than 1-5rc1-2, when new fixed version becomes available from the Pixelpost Web site at http://www.pixelpost.org/ |
| Related URL |
CVE-2006-2889,CVE-2006-2890 (CVE) |
| Related URL |
18276 (SecurityFocus) |
| Related URL |
(ISS) |
|
