CVE-2010-4906

Zenphoto 1.3 and 1.3.1.2 - SQL Injection via a Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2010-4906. PoCs published by Bogdan Calin.

AI-analyzed exploit summary The provided text describes an SQL injection and XSS vulnerability in Zenphoto 1.3, with a sample exploit URL demonstrating the SQLi vector. It lacks functional exploit code but includes technical details about the vulnerability and its impact.

Description

SQL injection vulnerability in zp-core/full-image.php in Zenphoto 1.3 and 1.3.1.2 allows remote attackers to execute arbitrary SQL commands via the a parameter. NOTE: some of these details are obtained from third party information.

Exploits (1)

exploitdb WRITEUP VERIFIED

by Bogdan Calin · textwebappsphp

https://www.exploit-db.com/exploits/34610

View Code ZIP pw:eip

The provided text describes an SQL injection and XSS vulnerability in Zenphoto 1.3, with a sample exploit URL demonstrating the SQLi vector. It lacks functional exploit code but includes technical details about the vulnerability and its impact.

Classification

Writeup 90%

Attack Type

Sqli | Xss

Complexity

Trivial

Reliability

Theoretical

Target: Zenphoto 1.3

No auth needed

Prerequisites: Access to the vulnerable Zenphoto instance

MITRE ATT&CK