https://www.exploit-db.com/exploits/23547
https://cxsecurity.com/issue/WLB-2007110020
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200412-238

XTREMEASPPhotoGallery是一款基于WEB的图象管理程序。XTREMEASPPhotoGallery包含的管理脚本不正确处理用户提交的验证数据，远程攻击者可以利用这个漏洞无需验证信息未授权访问应用程序。问题存在与’admin/adminlogin.asp’脚本中，由于对用户名和密码信息缺少充分过滤，提交恶意数据可绕过验证，未授权访问应用程序。

source: http://www.securityfocus.com/bid/9438/info

XtremeASP PhotoGallery is prone to an SQL injection vulnerability. The issue is reported to exist in the administration login interface, which does not sufficiently sanitize user-supplied input for username and password values before including it in SQL queries. This could permit remote attackers to pass malicious input to database queries.

http://www.example.com/photoalbum/admin/adminlogin.asp

If we type:

Username: 'or'
Password: 'or'

We gain admin access about the password protected
administrative pages.

来源:www.pensacolawebdesigns.com
链接:http://www.pensacolawebdesigns.com/xtremeasp/readmore.asp
来源:XF
名称:xtremeaspphotogallery-or-sql-injection(14860)
链接:http://xforce.iss.net/xforce/xfdb/14860
来源:BID
名称:9438
链接:http://www.securityfocus.com/bid/9438
来源:BUGTRAQ
名称:20040115XtremeASPPhotoGallery
链接:http://www.securityfocus.com/archive/1/archive/1/350028/30/21640/threaded
来源:OSVDB
名称:3585
链接:http://www.osvdb.org/3585
来源:SECTRACK
名称:1008745
链接:http://securitytracker.com/id?1008745
来源:SECUNIA
名称:10659
链接:http://secunia.com/advisories/10659
来源:SREASON
名称:3346
链接:http://securityreason.com/securityalert/3346
来源：NSFOCUS
名称：5944
链接：http://www.nsfocus.net/vulndb/5944