CVE-2012-4926

Img Pals Photo Host 1.0 - Unauthenticated Administrator Activation Change via approve.php u Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2012-4926. PoCs published by CorryL.

AI-analyzed exploit summary The exploit demonstrates an authentication bypass vulnerability in ImgPals Photo Host 1.0 STABLE, allowing an attacker to disable the administrator account by sending a crafted HTTP request to 'approve.php'. The PoC uses cURL to manipulate the 'approved' field in the database via SQL injection.

Description

approve.php in Img Pals Photo Host 1.0 does not authenticate requests, which allows remote attackers to change the activation of administrators via the u parameter in an (1) app0 (disable) or (2) app1 (enable) action.

Exploits (1)

exploitdb WORKING POC

by CorryL · textwebappsphp

https://www.exploit-db.com/exploits/18544

View Code ZIP pw:eip

The exploit demonstrates an authentication bypass vulnerability in ImgPals Photo Host 1.0 STABLE, allowing an attacker to disable the administrator account by sending a crafted HTTP request to 'approve.php'. The PoC uses cURL to manipulate the 'approved' field in the database via SQL injection.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: ImgPals Photo Host 1.0 STABLE

No auth needed

Prerequisites: Network access to the target application

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit exploit x_refsource_exploit-db

http://www.exploit-db.com/exploits/18544

Exploit mailing-list x_refsource_bugtraq

http://archives.neohapsis.com/archives/bugtraq/2012-02/0180.html

Scores

EPSS 0.0190

EPSS Percentile 77.0%

Details

CWE

CWE-287

Status published

Products (1)

imgpals/img_pals_photo_host 1.0

Published Sep 15, 2012

Tracked Since Feb 18, 2026