[VIM] Verified WhiteAlbum SQL injection
Steven M. Christey
coley at mitre.org
Tue Jan 17 19:13:35 EST 2006
Re: "White Album Sql İnjection biyosecurity.be"
I've been interested in the researcher "Liz0ziM" since they have been
accused of plagiarism and, even if not that, have made some errors in
the recent past.
I verified by source inspection the "dir" SQL injection issue in
pictures.php.
1) from albumapi.php in WhiteAlbum 2.5:
>function checkValidation($dir,$okDir,$target) {
> global $db,$cfg;
> $result=mysql_query("SELECT access FROM al_directories WHERE dir_id=$dir",$db);
> $myrow=mysql_fetch_row($result);
> if (in_array($myrow[0],$okDir)) {
> return(true);
> }
>}
2) from pictures.php:
>if (isset($_GET['dir'])) {
> $derivedDir=$_GET['dir'];
>}
>...
>
>if (!$validated=checkValidation($derivedDir,$_SESSION['accessDir'],$_SERVER['PHP_SELF'])) {
Presumably, the attack is not effective when magic_quotes_gpc is on.
- Steve
More information about the VIM
mailing list