CVE-2007-6266

bcoos <= 1.0.10 - SQL Injection via gid Parameter or lid Parameter

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2007-6266. PoCs published by Lostmon.

AI-analyzed exploit summary The provided text describes SQL injection and XSS vulnerabilities in bcoos 1.0.10, specifically in modules like myalbum, but does not include executable exploit code. It provides an example SQLi payload for stealing user passwords.

Description

Multiple SQL injection vulnerabilities in bcoos 1.0.10 and earlier allow remote attackers to execute arbitrary SQL commands via (1) the gid parameter to modules/arcade/index.php in a show_stats action, or the lid parameter to (2) modules/myalbum/ratephoto.php or (3) modules/mylinks/ratelink.php, different vectors than CVE-2007-5104.

Exploits (2)

exploitdb WRITEUP VERIFIED

by Lostmon · textwebappsphp

https://www.exploit-db.com/exploits/30823

View Code ZIP pw:eip

The provided text describes SQL injection and XSS vulnerabilities in bcoos 1.0.10, specifically in modules like myalbum, but does not include executable exploit code. It provides an example SQLi payload for stealing user passwords.

Classification

Writeup 90%

Attack Type

Sqli

Complexity

Trivial

Reliability

Theoretical

Target: bcoos 1.0.10

No auth needed

Prerequisites: Access to vulnerable bcoos installation

MITRE ATT&CK

T1189 - Drive-by Compromise T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WRITEUP VERIFIED

by Lostmon · textwebappsphp

https://www.exploit-db.com/exploits/30824

View Code ZIP pw:eip

The provided text describes SQL injection and XSS vulnerabilities in bcoos 1.0.10, specifically in modules like mylinks, but does not include executable exploit code. It provides an example SQLi payload for stealing user passwords.

Classification

Writeup 90%

Attack Type

Sqli

Complexity

Trivial

Reliability

Theoretical

Target: bcoos 1.0.10

No auth needed

Prerequisites: Access to the vulnerable bcoos application

MITRE ATT&CK

T1105 - Ingress Tool Transfer T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Exploit vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/26629

Third Party Advisory, VDB Entry vdb-entry x_refsource_xf

https://exchange.xforce.ibmcloud.com/vulnerabilities/36752

Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/26945

Various Sources x_refsource_misc

http://lostmon.blogspot.com/2007/11/bcoops-sql-injection-and-cross-site.html

Scores

EPSS 0.0098

EPSS Percentile 57.6%

Details

CWE

CWE-89

Status published

Products (1)

bcoos/bcoos 1.0.10

Published Dec 07, 2007

Tracked Since Feb 18, 2026