[VIM] Copy of: Security issues in IPG (fwd)

Steven M. Christey coley at linus.mitre.org
Thu Apr 27 18:08:38 EDT 2006


filled out the web form... clarification post to bugtraq awaiting
approval.

---------- Forwarded message ----------
Date: Thu, 27 Apr 2006 18:05:05 -0400
From: Instant Photo Gallery
To: coley at mitre.org
Subject: Copy of: Security issues in IPG

This is a copy of the following message you sent to Ed Verosky via Instant
Photo Gallery

This is an enquiry e-mail via http://www.instantphotogallery.com from:
Steve Christey <coley at mitre.org>

Hello,

I am a computer security professional for the CVE project, which is
sponsored by the Department of Homeland Security to assign standard
identifiers for security vulnerabilities (http://www.us-cert.gov/cve/,
http://cve.mitre.org/)

Recently, some security vulnerability information about your product
was posted here:

  http://www.securityfocus.com/archive/1/432024/100/0/threaded

and here:

  http://www.securityfocus.com/archive/1/432022/100/0/threaded

It seems that the portfolio.php/cat_id issue might have been fixed in
1.0.2, but portfolio_photo_popup.php/id seems to be related to SQL
injection when count_click() is called.

I couldn't see anything about "viewpro" in the code anywhere - was that
report entirely wrong?

I would appreciate any information and fixes you might have.


Thank you,
Steve Christey
Principal Information Security Engineer
CVE Editor
The MITRE Corporation



More information about the VIM mailing list