Plogger SQL Injection

Product Plogger
Severity High
CVE Reference N/A
Type Plogger SQL Injection Vulnerability

An SQL injection vulnerability was identified in Plogger, a popular open source PHP photo gallery. CPNI (The Centre for the Protection of National Infrastructure) have been informed of this vulnerability. The vendor has also been informed and has released a code fix which is available from change set 489. The vulnerability would enable an attacker to inject arbitrary SQL statements. SQL injection inference techniques were used to develop a proof of concept exploit that could be used to access any field from the Plogger database (and potentially any field of any database accessible by the database user Plogger is configured to use).