Several SQL Injection Vulnerabilities Discovered in Zoph -

According to an advisory recently released by Secunia, an attacker can manipulate data from a remote location thanks to multiple SQL injection vulnerabilities found in Zoph (Zoph Organizes Photos). The vulnerability has been deemed "moderately critical" by Secunia, but a new version of Zoph, which addresses the security issue, has been made available.

SQL injection attacks have been on the increase lately, and numerous sites have consequently become infected. In the case of Zoph, "certain unspecified input is not properly sanitized before being used in SQL queries" and thus an attacker can inject arbitrary SQL code to manipulate SQL queries. This vulnerability has been detected in all Zoph versions prior to

As of yesterday, the 20th of July, Zoph has released version and users are well advised to update as quickly as possible. "During development of Zoph, I found a couple of possible SQL injections. Although most are not exploitable or only exploitable by an admin user, I have created an updated release for Zoph: v0.7.0.5. I recommend everyone upgrading to this version. The release also includes a number of extra 'safety nets' that will make exploiting any future SQL injections a lot harder. It also fixes a number of bugs in the 0.7 release," says Jeroen Roos from Zoph.

Those of you who are unfamiliar with Zoph must know that it is a web based application that one can use to manage all their digital images, or in layman's terms, an open source photo album. You can use Zoph to organize your increasing photo database, generate thumbnail galleries, record additional info in regard to your pictures, and even control access to said pictures.

The security industry started to detect a large number of SQL injection attacks back in March, the current year. The following month, in April, these attacks started to target trusted, well known sites that attracted a large number of visitors. By June, the number of infected sites had risen to a staggering 76%, according to reports from security company ScanSafe.

[Source: softpedia]