SECUNIA ADVISORY ID: SA22349

VERIFY ADVISORY: http://secunia.com/advisories/22349/

CRITICAL: Moderately critical

IMPACT: Manipulation of data

WHERE: >From remote

SOFTWARE: 4images 1.x - http://secunia.com/product/8373/

DESCRIPTION: disfigure has reported a vulnerability in 4images, which can be exploited by malicious people to conduct SQL injection attacks. Input passed to the "search_user" parameter in search.php is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. The vulnerability has been reported in version 1.7.2. Other versions may also be affected.

SOLUTION: Edit the source code to ensure that input is properly sanitised.

PROVIDED AND/OR DISCOVERED BY: disfigure