[原文]SQL injection vulnerability in PhotoPost PHP Pro 5.x may allow remote attackers to execute arbitrary SQL commands via (1) the sl parameter to showmembers.php or (2) the photo parameter to showphoto.php.
PhotoPost PHP Pro showmembers.php sl Parameter SQL Injection
Remote / Network Access
Loss of Confidentiality,
Loss of Integrity
PhotoPost PHP Pro contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the 'sl' variable in the showmembers.php script is not verified properly and will allow an attacker to inject or manipulate SQL queries.
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.