XooGallery SQL Injection Vulnerability

A SQL injection vulnerability has been identified in XooGallery Latest, allowing unauthenticated attackers to manipulate database queries by injecting SQL code through the gal_id parameter. Exploitation involves sending GET requests to gal.php with malicious gal_id values, which could lead to the extraction of sensitive database information or modification of database contents.

Impact

Exploitation of this vulnerability allows for SQL injection, where attackers can interfere with database queries. This could result in unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, send a GET request to gal.php with a crafted gal_id parameter that includes SQL injection payloads. The injected SQL code can be used to manipulate the database query, potentially leading to unauthorized data access or modification.