header-logo
Suggest Exploit
vendor:
PhotoGallery
by:
SecurityFocus
7.5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: PhotoGallery
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2002

XtremeASP PhotoGallery SQL Injection Vulnerability

XtremeASP PhotoGallery is prone to an SQL injection vulnerability. The issue is reported to exist in the administration login interface, which does not sufficiently sanitize user-supplied input for username and password values before including it in SQL queries. This could permit remote attackers to pass malicious input to database queries. If an attacker enters 'or' as the username and password, they can gain admin access to the password protected administrative pages.

Mitigation:

Input validation should be used to ensure that user-supplied data is properly sanitized before being included in SQL queries.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/9438/info

XtremeASP PhotoGallery is prone to an SQL injection vulnerability. The issue is reported to exist in the administration login interface, which does not sufficiently sanitize user-supplied input for username and password values before including it in SQL queries. This could permit remote attackers to pass malicious input to database queries.

http://www.example.com/photoalbum/admin/adminlogin.asp

If we type:

Username: 'or'
Password: 'or'

We gain admin access about the password protected
administrative pages.

Navigation

Suggest Exploit

Services By CQR