[VIM] DF MSAnalysis SQL injection in CPG-Nuke Dragonfly CMS 9.0.6.1

Steven M. Christey coley at mitre.org
Wed Feb 15 23:50:37 EST 2006


While researching the linking.php Dragonfly issue, I fell down the
rabbit hole and found this gem of a forum post:

  http://dragonflycms.org/Forums/viewtopic/t=14751.html

It deals with a victim of a hack attempt (previously not public?),
with lots of error messages.

Besides getting into the details of the linking.php issue, an SQL
injection problem also appears to exist in a module called "DF
MSAnalysis" which is some port of a product called "MSAnalysis", but
for Dragonfly products.  This appears to be a third party module, not
something maintained by CPG-Nuke.  URL is
http://www.musox.com/index.php

This is a nice example for how XSS manipulations can expose SQL
injection issues.  (I'm calling it SQL injection but it someone thinks
it's just path disclosure and no more, definitely let me know :)

Check followup forum posts from musox and DJMaze.  Note clear if musox
is aware that the issue is in his/her product; I'll try to send an
email.

- Steve


More information about the VIM mailing list