VYPR
← All advisories
Unrated severityNVD Advisory· Published May 4, 2009· Updated Apr 23, 2026

CVE-2008-6789

CVE-2008-6789

Description

SQL injection in MindDezign Photo Gallery 2.2 login allows remote attackers to execute arbitrary SQL commands and add admin users.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

SQL injection in MindDezign Photo Gallery 2.2 login allows remote attackers to execute arbitrary SQL commands and add admin users.

Vulnerability

MindDezign Photo Gallery version 2.2 contains a SQL injection vulnerability in the login action of the admin module. The username parameter is not properly sanitized before being used in SQL queries. The vulnerability is exploitable when PHP's magic_quotes_gpc is disabled [1].

Exploitation

An unauthenticated attacker can send a crafted HTTP POST request to index.php?module=admin&action=login with a malicious username parameter containing SQL injection payloads. The provided exploit script demonstrates how to inject SQL statements that insert a new administrator user into the database, bypassing authentication [1].

Impact

Successful exploitation allows the attacker to execute arbitrary SQL commands, leading to the creation of an administrative account. This grants full control over the gallery application, including the ability to modify, delete, or exfiltrate data.

Mitigation

No official patch has been released for this vulnerability. The application may be end-of-life. Users should disable the admin module or apply input validation and parameterized queries. Disabling magic_quotes_gpc is not recommended as a security measure.

References
  1. OffSec’s Exploit Database Archive

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Minddezign/Photo Gallery2 versions
    cpe:2.3:a:minddezign:photo_gallery:2.2:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:minddezign:photo_gallery:2.2:*:*:*:*:*:*:*
    • (no CPE)range: = 2.2

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

4

News mentions

0

No linked articles in our index yet.