Sign-up

ID

VAR-200807-0474


CVE

CVE-2008-3355


TITLE

Camera Life 'sitemap.xml.php' SQL Injection Vulnerability

Trust: 0.9

sources: BID: 30368 // CNNVD: CNNVD-200807-447

DESCRIPTION

SQL injection vulnerability in sitemap.xml.php in Camera Life 2.6.2 allows remote attackers to execute arbitrary SQL commands via the id parameter in a photos action. Camera Life is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Camera Life 2.6.2 is vulnerable; other versions may also be affected. Camera Life is a photo album management system developed in PHP. Input passed to the "id" parameter in sitemap.xml.php is not properly sanitised before being used in an SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. The vulnerability is confirmed in version 2.6. SOLUTION: Edit the source code to ensure that input is properly sanitised. PROVIDED AND/OR DISCOVERED BY: nuclear ORIGINAL ADVISORY: http://milw0rm.com/exploits/6132 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 2.07

sources: NVD: CVE-2008-3355 // JVNDB: JVNDB-2008-003299 // BID: 30368 // VULHUB: VHN-33480 // PACKETSTORM: 68573

AFFECTED PRODUCTS

vendor:camera lifemodel:camera lifescope:eqversion:2.6.2

Trust: 2.4

vendor:cameramodel:life camera lifescope:eqversion:2.6.2

Trust: 0.3

sources: BID: 30368 // JVNDB: JVNDB-2008-003299 // CNNVD: CNNVD-200807-447 // NVD: CVE-2008-3355

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2008-3355
value: HIGH

Trust: 1.0

NVD: CVE-2008-3355
value: HIGH

Trust: 0.8

CNNVD: CNNVD-200807-447
value: HIGH

Trust: 0.6

VULHUB: VHN-33480
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2008-3355
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-33480
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-33480 // JVNDB: JVNDB-2008-003299 // CNNVD: CNNVD-200807-447 // NVD: CVE-2008-3355

PROBLEMTYPE DATA

problemtype:CWE-89

Trust: 1.9

sources: VULHUB: VHN-33480 // JVNDB: JVNDB-2008-003299 // NVD: CVE-2008-3355

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200807-447

TYPE

sql injection

Trust: 0.7

sources: PACKETSTORM: 68573 // CNNVD: CNNVD-200807-447

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2008-003299

EXPLOIT AVAILABILITY
sources:
            
            
            VULHUB: VHN-33480

PATCH
title:Top Pageurl:http://fdcl.sourceforge.net/
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2008-003299

EXTERNAL IDS
db:NVDid:CVE-2008-3355
Trust: 2.8
db:BIDid:30368
Trust: 2.0
db:SECUNIAid:31234
Trust: 1.9
db:EXPLOIT-DBid:6132
Trust: 1.8
db:SREASONid:4047
Trust: 1.7
db:JVNDBid:JVNDB-2008-003299
Trust: 0.8
db:CNNVDid:CNNVD-200807-447
Trust: 0.7
db:XFid:43991
Trust: 0.6
db:MILW0RMid:6132
Trust: 0.6
db:VULHUBid:VHN-33480
Trust: 0.1
db:PACKETSTORMid:68573
Trust: 0.1
sources:
            
            
            VULHUB: VHN-33480 // 
            
            
            
            BID: 30368 // 
            
            
            
            JVNDB: JVNDB-2008-003299 // 
            
            
            
            PACKETSTORM: 68573 // 
            
            
            
            CNNVD: CNNVD-200807-447 // 
            
            
            
            NVD: CVE-2008-3355

REFERENCES
url:http://www.securityfocus.com/bid/30368
Trust: 1.7
url:http://secunia.com/advisories/31234
Trust: 1.7
url:http://securityreason.com/securityalert/4047
Trust: 1.7
url:https://www.exploit-db.com/exploits/6132
Trust: 1.1
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/43991
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2008-3355
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2008-3355
Trust: 0.8
url:http://xforce.iss.net/xforce/xfdb/43991
Trust: 0.6
url:http://www.milw0rm.com/exploits/6132
Trust: 0.6
url:http://fdcl.sourceforge.net/
Trust: 0.3
url:http://secunia.com/secunia_security_advisories/
Trust: 0.1
url:http://secunia.com/advisories/31234/
Trust: 0.1
url:http://secunia.com/hardcore_disassembler_and_reverse_engineer/
Trust: 0.1
url:http://secunia.com/product/15165/
Trust: 0.1
url:http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
Trust: 0.1
url:http://secunia.com/secunia_security_specialist/
Trust: 0.1
url:http://milw0rm.com/exploits/6132
Trust: 0.1
url:http://corporate.secunia.com/about_secunia/64/
Trust: 0.1
url:http://secunia.com/about_secunia_advisories/
Trust: 0.1
sources:
            
            
            VULHUB: VHN-33480 // 
            
            
            
            BID: 30368 // 
            
            
            
            JVNDB: JVNDB-2008-003299 // 
            
            
            
            PACKETSTORM: 68573 // 
            
            
            
            CNNVD: CNNVD-200807-447 // 
            
            
            
            NVD: CVE-2008-3355

CREDITS
nuclear
Trust: 0.9
sources:
            
            
            BID: 30368 // 
            
            
            
            CNNVD: CNNVD-200807-447

SOURCES
db:VULHUBid:VHN-33480
db:BIDid:30368
db:JVNDBid:JVNDB-2008-003299
db:PACKETSTORMid:68573
db:CNNVDid:CNNVD-200807-447
db:NVDid:CVE-2008-3355

LAST UPDATE DATE
2025-04-10T23:23:33.830000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-33480date:2017-09-29T00:00:00
db:BIDid:30368date:2015-05-07T17:25:00
db:JVNDBid:JVNDB-2008-003299date:2012-06-26T00:00:00
db:CNNVDid:CNNVD-200807-447date:2009-01-29T00:00:00
db:NVDid:CVE-2008-3355date:2025-04-09T00:30:58.490

SOURCES RELEASE DATE
db:VULHUBid:VHN-33480date:2008-07-28T00:00:00
db:BIDid:30368date:2008-07-25T00:00:00
db:JVNDBid:JVNDB-2008-003299date:2012-06-26T00:00:00
db:PACKETSTORMid:68573date:2008-07-29T00:54:10
db:CNNVDid:CNNVD-200807-447date:2008-07-28T00:00:00
db:NVDid:CVE-2008-3355date:2008-07-28T17:41:00