The security expert Ibrahim Raafat discovered critical SQL injection vulnerabilities in Flickr Photo Books which allow attackers to gain complete control of the server and its database.

The giant of online photo management and sharing Flickr, a Yahoo-owned company, was affected by critical vulnerabilities which allow attackers to gain access to the webserver website database.

The alarming discovery was announced by the Egyptian security expert Ibrahim Raafat which has found a critical SQL injection vulnerability in Flickr Photo Books, the feature implemented by Flickr for printing custom photo books through the image hosting website.

The service Flickr Photo Books was recently launched, nearly 5 months ago, Raafat has discovered that manipulating some parameters he was able to conduct an SQL injection on the website.  Acting on the two parameters:

• (page_id , items)
•  items

Raafat was able to conduct a Blind SQL injection meanwhile one  through the modification of the parameter order_id he was able to conduct a Direct SQL Injection that provided the researcher a full access to the Flickr database.

Raafat started to analyze the HTTP headers for all the requests sent to the platform and started checking every single parameter, when he has found Direct SQL injection in order_id parameter POST

order_id=116564954&first_name=aaaa&last_name=sssss&street1=ddddddddddd&street2=ddddddd&city=fffffff&state=ff&postal_code=12547&country_code=US&phone=45454545457&method=flickr.products.orders.setShippingAddress&csrf=1365645560%3Acmj2m0s5jvyrpb9%kld65d65d54d54d55d45dsq&api_key=3c7ab2846f4183ecg56s96d5d5w4e644268&format=json&hermes=1&hermesClient=1&reqId=q3oovqa&nojsoncallback=1