photokorn 1.81 and earlier contains multiple flaws that which can be exploited by malicious users to conduct SQL injection, cross-site request forgery, and cross-site scripting attacks.

1) SQLi: Input passed to the "where%5B%5D", "sort", "order", and "Match" parameters on POST to search.php is not properly sanitised before being used in SQL queries. Additionally, input passed to the "where[]" parameter via GET requests to search.php is not properly sanitised before being used in SQL queries. These flaws can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

2) XSS: Input passed to the "where%5B%5D" parameter via GET and POST requests submitted to search.php is not properly sanitised before being returned to the user. Additionally, input passed during an admin session to the "qc" variable submitted to the admin.php script is not properly sanitised before being returned to the user. These flaws can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

3) CSRF: The application allows users to perform all admin actions via HTTP requests without performing any validation checks to verify the requests. This can be exploited to e.g. perform administrative functions when a logged in user views a malicious web page.

References:

CVE-2009-pending

BID: 35966

FrSIRT: N/A

Nessus:N/A

OSVDB: 56804, 56805, 56806

SA: 36150  

XF: 

Related: 

Vendor Solution: