[VIM] IMGallery - "galeria.php" not "galerie.php"

Steven M. Christey coley at mitre.org
Fri Jun 30 16:05:13 EDT 2006

Original source ref:


various vdb's are mentioning "galerie.php", but r0t said - and I
confirmed via the product download - that it's "galeria.php".

> find IMGallery | grep galer


and while we're at it:

  $start = $_GET['start'];


  $pobieranie = mysql_query ("SELECT  *  FROM  galeria WHERE kategoria LIKE '$kategoria' AND album LIKE '$album' AND opis LIKE '%$fraza%' AND hidden = '' AND verified = 'T' ORDER BY $sort DESC LIMIT $start,$limit");

so exploitation might be limited per Bill Heinbockel's previous
comments, but there's injection of something.

Regarding the sort parameter - the first reference of "sort" in
galeria.php is in the mysql_query() call above.  There are a whole lot
of include files, including wyszukiwarka.php, which has:

  $sort = $_GET['sort'];

Oh - and if you're asking yourself about the other variables mentioned
in the query above, the answer is "looks like it but I didn't take the
time to prove it."

- Steve

