Bugtraq mailing list archives
Re: Multiple Sql injection, and multiple XSS vulnerabilities in Photopost PHP Pro Photo Gallery Software.
From: <dcrab () hackerscenter com>
Date: 30 Mar 2005 20:00:07 -0000
In-Reply-To: <1112047432_32079 () S1 cableone net> I ran audit's on da latest version available for download on the Photopost website, and was unaware of your release so i apologise for the confusion. Dcrab
Received: (qmail 32267 invoked from network); 29 Mar 2005 22:12:43 -0000 Received: from outgoing.securityfocus.com (HELO outgoing2.securityfocus.com) (205.206.231.26) by mail.securityfocus.com with SMTP; 29 Mar 2005 22:12:43 -0000 Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20]) by outgoing2.securityfocus.com (Postfix) with QMQP id D2B1F144E1B; Tue, 29 Mar 2005 11:33:25 -0700 (MST) Mailing-List: contact bugtraq-help () securityfocus com; run by ezmlm Precedence: bulk List-Id: <bugtraq.list-id.securityfocus.com> List-Post: <mailto:bugtraq () securityfocus com> List-Help: <mailto:bugtraq-help () securityfocus com> List-Unsubscribe: <mailto:bugtraq-unsubscribe () securityfocus com> List-Subscribe: <mailto:bugtraq-subscribe () securityfocus com> Delivered-To: mailing list bugtraq () securityfocus com Delivered-To: moderator for bugtraq () securityfocus com Received: (qmail 30350 invoked from network); 28 Mar 2005 14:41:04 -0000 From: "GulfTech Security Research" <security () gulftech org> To: <bugtraq () securityfocus com> Subject: RE: Multiple Sql injection, and multiple XSS vulnerabilities in Photopost PHP Pro Photo Gallery Software. Date: Mon, 28 Mar 2005 16:03:24 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="windows-1250" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.6353 In-Reply-To: <20050328192116.16152.qmail () www securityfocus com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1478 Thread-Index: AcUz295H5cAHziumRKWigJxsdcguyAABNrIg Message-ID: <1112047432_32079 () S1 cableone net> X-IP-stats: Incoming Last 2, First 77, in=49, out=0, spam=0 X-External-IP: 24.117.152.22 X-Abuse-Info: Send abuse complaints to abuse () cableone net The SQL Injection issue in showmembers.php (showmembers.php?si=[SQL]) was reported to one of the lead developers Michael Pierce on March 11th 2005 by James Bercegay of GulfTech Research And Development and has since been fixed after being confirmed a legitimate security risk. Users with the older vulnerable versions are urged to upgrade asap. More information can be found on the official PhotoPost forums. James -----Original Message----- From: dcrab () hackerscenter com [mailto:dcrab () hackerscenter com] Sent: Monday, March 28, 2005 1:21 PM To: bugtraq () securityfocus com Subject: Multiple Sql injection, and multiple XSS vulnerabilities in Photopost PHP Pro Photo Gallery Software. Dcrab 's Security Advisory http://icis.digitalparadox.org/~dcrab http://www.hackerscenter.com/ Severity: High Title: Multiple Sql injection, and multiple XSS vulnerabilities in Photopost PHP Pro Photo Gallery Software. Date: March 29, 2005 -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.308 / Virus Database: 266.8.3 - Release Date: 3/25/2005
Current thread:
- Multiple Sql injection, and multiple XSS vulnerabilities in Photopost PHP Pro Photo Gallery Software. dcrab (Mar 28)
- RE: Multiple Sql injection, and multiple XSS vulnerabilities in Photopost PHP Pro Photo Gallery Software. GulfTech Security Research (Mar 29)
- <Possible follow-ups>
- Re: Multiple Sql injection, and multiple XSS vulnerabilities in Photopost PHP Pro Photo Gallery Software. dcrab (Mar 30)