CVE-2008-6788

Vulnerability

MindDezign Photo Gallery version 2.2 is vulnerable to SQL injection in the index.php script. The id parameter in the info action is not properly sanitized before being used in SQL queries. This vulnerability is exploitable only when PHP's magic_quotes_gpc directive is disabled. The affected version is 2.2 as confirmed by the exploit reference [1].

Exploitation

An attacker can exploit this vulnerability remotely without authentication. By sending a crafted HTTP GET request to index.php?module=gallery&action=info&cate_id=1&id=-9999'+union+select+1,2,3,4,5,6,7,8,concat(gal_admin_username,0x3a3a,gal_admin_password),10+from+gallery_admin--, the attacker can extract the admin username and password from the gallery_admin table [1]. The exploit requires no special privileges or user interaction.

Impact

Successful exploitation allows an attacker to retrieve sensitive information, specifically the administrator's username and password hash from the database. This can lead to full administrative control over the gallery application, potentially enabling further compromise of the server or data exfiltration.

Mitigation

No official patch or fixed version has been released by the vendor. As a workaround, administrators should ensure magic_quotes_gpc is enabled if possible, though this is not a complete solution. The best mitigation is to upgrade to a newer, supported version of the gallery software or apply input validation and parameterized queries to the vulnerable parameter. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.