CVE-2004-1415
Description
SQL injection in 2Bgal 2.4 and 2.5.1 allows remote attackers to execute arbitrary SQL commands via the id_album parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in 2Bgal 2.4 and 2.5.1 allows remote attackers to execute arbitrary SQL commands via the id_album parameter.
Vulnerability
A SQL injection vulnerability exists in the disp_album.php script (and possibly disp_img.php) of 2Bgal versions 2.4 and 2.5.1 [1]. The id_album parameter is directly concatenated into a SQL query without sanitization, as shown in the vulnerable code: $chaine="SELECT nom,idpere FROM ".$tbl_alist." WHERE id=".$id_album [1].
Exploitation
An unauthenticated remote attacker can send a crafted HTTP request to disp_album.php with a malicious id_album value [1]. For example, using the proof-of-concept URL: http://www.server.com/2bgal/disp_album.php?id_album=2%20UNION%20SELECT%20passwd%20as%20nom,%20idpere%20FROM%20galbumlist%20LIMIT%201;%20-- [1]. This payload injects a UNION SELECT statement to retrieve passwords from the album list table. The attacker can manipulate the injection to extract arbitrary data from the database [1].
Impact
Successful exploitation allows an attacker to execute arbitrary SQL commands, potentially extracting sensitive information such as user passwords from the database. This can lead to unauthorized access to the application and data compromise [1].
Mitigation
The available references do not provide details on a patched version or mitigation steps [1]. Users should monitor vendor updates for a fixed release or consider disabling the vulnerable scripts, applying input validation, or using parameterized queries as a workaround.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Direct concatenation of the unsanitized `id_album` parameter into a SQL query allows arbitrary SQL injection."
Attack vector
An attacker sends an HTTP request to `disp_album.php` (or potentially `disp_img.php`) with a crafted `id_album` parameter. Because the parameter value is concatenated directly into a SQL query, the attacker can inject arbitrary SQL commands. The advisory demonstrates a proof-of-concept URL that uses a UNION SELECT to extract the password hash from the `galbumlist` table [ref_id=1].
Affected code
The vulnerable code is in `disp_album.php` around line 53, and possibly also in `disp_img.php`. The query builds a SQL string by directly concatenating the `$id_album` variable without sanitization: `$chaine="SELECT nom,idpere FROM ".$tbl_alist." WHERE id=".$id_album` [ref_id=1].
What the fix does
No patch is included in the bundle. The advisory does not provide remediation code, but the standard fix would be to treat `$id_album` as an integer (e.g., casting with `intval()`) or to use parameterized queries / prepared statements so that user-supplied input cannot alter the SQL structure. Without such sanitization, the query remains vulnerable to injection [ref_id=1].
Preconditions
- configThe target must run 2Bgal version 2.4 or 2.5.1
- networkThe attacker must be able to send HTTP requests to the vulnerable disp_album.php or disp_img.php endpoint
- inputThe id_album parameter must be accepted from the query string without sanitization
Reproduction
Visit `http://www.server.com/2bgal/disp_album.php?id_album=2%20UNION%20SELECT%20passwd%20as%20nom,%20idpere%20FROM%20galbumlist%20LIMIT%201;%20--` to retrieve the password hash for the first album [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.