[原文]Multiple SQL injection vulnerabilities in Enthrallwebe ePhotos 2.2 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) CAT_ID parameter in (a) subphotos.asp and (b) subLevel2.asp, the (2) AL_ID parameter in (c) photo.asp, and the (3) SUB_ID parameter in (d) subLevel2.asp.
ePhotos contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the subphotos.asp script not properly sanitizing user-supplied input to the 'CAT_ID' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.