Flicker - one of the one of the biggest online photo management and sharing website in the world was recently impacted by critical vulnerabilities.
Ibrahim Raafat, a security researcher from Egypt has found SQL injection vulnerabilities on Flickr Photo Books,
He claimed to have found two parameters (page_id , items) vulnerable to Blind SQL injection and one (i.e. order_id) Direct SQL Injection that allowed him to query the Flickr database for its content by the injection of a SQL SELECT statements.
A Successful SQL exploitation ould allow an attacker to steal the Database and MYSQL administrator password
Furthermore, Flickr's SQL injection flaws also facilitate the attacker to exploit remote code execution on the server and using load_file(“/etc/passwd“)
function he was successfully managed to read the content from the sensitive files on the Flickr server, as shown below:
In addition to this, Ibrahim was able to write new files on the server that let him upload a custom 'code execution shell'.
Post a Comment