CVE-2008-3563

Name of the Vulnerable Software and Affected Versions Plogger versions 3.0 and earlier

Description The issue allows remote attackers to execute arbitrary SQL commands, potentially leading to data manipulation or extraction. This can be achieved through the checked array parameter to "plog-download.php" in an album action, and unspecified parameters to "plog-remote.php". Additionally, remote authenticated administrators can execute arbitrary SQL commands via the activate parameter to "admin/plog-themes.php", related to theme dir settings.

Recommendations For Plogger versions 3.0 and earlier, update to a version later than 3.0 to resolve the issue. As a temporary workaround, consider restricting access to the "plog-download.php" and "plog-remote.php" scripts, and limiting administrative access to "admin/plog-themes.php" until a patch is available. Avoid using the activate parameter in "admin/plog-themes.php" and the checked array parameter in "plog-download.php" until the issue is resolved.