Igor Franchuk

**Name of the Vulnerable Software and Affected Versions** PhotoPost PHP version 5.0 RC3 **Description** The issue concerns the reportpost action in misc.php, which fails to limit the logging data sent to the administrator. This allows remote attackers to send large amounts of email to the administrator. **Recommendations** For PhotoPost PHP version 5.0 RC3, consider restricting access to the reportpost action in misc.php to prevent abuse, or limit the amount of logging data that can be sent to the administrator to mitigate the risk of receiving large amounts of email.

**Name of the Vulnerable Software and Affected Versions** PhotoPost PHP version 5.0 RC3 **Description** The issue concerns a lack of proper verification for administrative privileges in the adm-photo.php file, potentially allowing remote attackers to manipulate photos belonging to other users. **Recommendations** For PhotoPost PHP version 5.0 RC3, consider restricting access to the adm-photo.php file until a proper fix is implemented to verify administrative privileges before allowing photo manipulation.

**Name of the Vulnerable Software and Affected Versions** PhotoPost PHP version 5.0 RC3 **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML. The vulnerabilities are specifically found in the `check tags` function and the `editbio` field in the user profile. **Recommendations** For PhotoPost PHP version 5.0 RC3, consider disabling the `check tags` function and restricting access to the `editbio` field in the user profile until a patch is available. Avoid using the `editbio` field in user profiles until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** PhotoPost PHP version 5.0 RC3 **Description** The issue allows remote attackers to inject arbitrary Javascript by uploading non-image files with an image extension, as the software does not fully verify that an uploaded file is an image file. **Recommendations** For PhotoPost PHP version 5.0 RC3, consider implementing additional file type verification to ensure only actual image files can be uploaded, and restrict the execution of Javascript code from uploaded files until a proper fix is available.

**Name of the Vulnerable Software and Affected Versions** PhotoPost PHP version 5.0 RC3 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `uid` parameter in the member.php script and possibly other scripts. **Recommendations** For PhotoPost PHP version 5.0 RC3, consider restricting access to the vulnerable `uid` parameter in the member.php script until a patch is available. As a temporary workaround, avoid using the `uid` parameter in the affected scripts to minimize the risk of exploitation.