All Enthusiast Photopost PHP Pro Multiple Input Validation Vulnerabilities

BID:9994

Info

All Enthusiast Photopost PHP Pro Multiple Input Validation Vulnerabilities

Bugtraq ID: 9994
Class: Input Validation Error
CVE: CVE-2004-1871
CVE-2004-1870
Remote: Yes
Local: No
Published: Mar 29 2004 12:00AM
Updated: Aug 03 2010 06:15PM
Credit: Discovery is credited to JeiAr <[email protected]>.
Vulnerable: All Enthusiast Inc Photopost PHP Pro 4.8.1
All Enthusiast Inc Photopost PHP Pro 4.6
All Enthusiast Inc Photopost PHP Pro 4.1
All Enthusiast Inc Photopost PHP Pro 4.0
All Enthusiast Inc Photopost PHP Pro 3.3
All Enthusiast Inc Photopost PHP Pro 3.2
All Enthusiast Inc Photopost PHP Pro 3.1
All Enthusiast Inc PhotoPost PHP 4.6
All Enthusiast Inc PhotoPost PHP 4.4
All Enthusiast Inc PhotoPost PHP 4.0
Not Vulnerable:

Discussion

All Enthusiast Photopost PHP Pro Multiple Input Validation Vulnerabilities

Multiple SQL injection, cross-site scripting and HTML injection vulnerabilities have been identified in the application, which may allow an attacker to execute arbitrary HTML or script code in a user's browser and/or influence SQL query logic to disclose sensitive information and carry out other attacks.

Photopost PHP Pro 4.6.0 and prior may be prone to these issues. Photopost PHP Pro 4.8.1 is reported vulnerable to these issues as well.

Exploit / POC

All Enthusiast Photopost PHP Pro Multiple Input Validation Vulnerabilities

No exploit is required to carry out a successful attack.

The following proof of concept example to exploit the SQL injection issue in 'ppuser' parameter is available:

http://www.example.com/showgallery.php?ppuser=-2'%20UNION%20SELECT%200,email,
0,0,0,0,0,0%20FROM%20user%20WHERE%20userid='1&amp;cat=500

Solution / Fix

All Enthusiast Photopost PHP Pro Multiple Input Validation Vulnerabilities

Solution:
It is reported that PhotoPost PHP Pro 4.86 has been released to address these issues. Please contact the vendor for more information and to obtain the fixed version.

References

All Enthusiast Photopost PHP Pro Multiple Input Validation Vulnerabilities

References:
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report