CVE-2004-1870

PhotoPost PHP Pro 4.6.x - SQL Injection via Multiple Parameters

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2004-1870. PoCs published by JeiAr, GulfTech Security.

AI-analyzed exploit summary This exploit demonstrates a SQL injection vulnerability in Photopost PHP Pro, allowing an attacker to extract sensitive information such as user emails by manipulating the 'ppuser' parameter in the URL.

Description

Multiple SQL injection vulnerabilities in PhotoPost PHP Pro 4.6.x and earlier allow remote attackers to gain users' passwords via the (1) photo parameter to addfav.php, (2) photo parameter to comments.php, (3) credit parameter to comments.php, (4) cat parameter to index.php, (5) ppuser parameter to showgallery.php, (6) cat parameter to showgallery.php, (7) cat parameter to uploadphoto.php, (8) albumid parameter to useralbums.php, or (9) albumid parameter to useralbums.php.

Exploits (2)

exploitdb WORKING POC VERIFIED
by JeiAr · textwebappsphp
https://www.exploit-db.com/exploits/23885

This exploit demonstrates a SQL injection vulnerability in Photopost PHP Pro, allowing an attacker to extract sensitive information such as user emails by manipulating the 'ppuser' parameter in the URL.

Classification
Working Poc 90%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: Photopost PHP Pro 4.6.0 and prior, 4.8.1
No auth needed
Prerequisites: Access to the target application URL
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP
by GulfTech Security · textwebappsphp
https://www.exploit-db.com/exploits/43808

This is a detailed vulnerability writeup for PhotoPost <= 4.6, describing multiple SQL injection, XSS, script injection, and DoS vulnerabilities. It provides URLs and parameters for exploitation but does not include functional exploit code.

Classification
Writeup 90%
Attack Type
Sqli | Xss | Dos | Info Leak
Complexity
Trivial
Reliability
Theoretical
Target: PhotoPost <= 4.6
No auth needed
Prerequisites: Access to vulnerable PhotoPost installation
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5
Core References
Vendor Advisory vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/9994
Mailing List mailing-list x_refsource_bugtraq
http://marc.info/?l=bugtraq&m=108057790723123&w=2
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/15642
Vendor Advisory vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1009571
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/11241

Scores

EPSS 0.0116
EPSS Percentile 63.0%

Details

Status published
Products (7)
photopost/photopost_php_pro 3.1
photopost/photopost_php_pro 3.2
photopost/photopost_php_pro 3.3
photopost/photopost_php_pro 4.0
photopost/photopost_php_pro 4.1
photopost/photopost_php_pro 4.6
photopost/photopost_php_pro 4.8.1
Published Mar 29, 2004
Tracked Since Feb 18, 2026