Description: zOOm Media Gallery (http://zoom.ummagumma.nl) is a php/sql component+module for MamboCMS and is in use by many sites of the internet. I discover a simple SQL Injection in it. Affected Versions: zOOm Image Gallery 2.1.2, * POC: It is possible to proof my concept using the original site of zOOM: http://www.example.com/index.php?option=com_zoom&Itemid=39&catid=2+OR+1=1 the above url can show all images in all categories of images of the zOOM gallery database but other commands are also possible that can result in a database owning. Andreas Constantinides www.megahz.org www.odysseyconsultants.com
