[VIM] Vendor Dispute: PHP-Nuke Top Music Module Multiple Variable SQL Injection

Sullo sullo at cirt.net
Tue May 9 00:26:43 EDT 2006


OSVDB-ID: 21397
Comment: "Hi, this vulnerability is a fake. SQL injection is controlled in all SQL sentences"
http://pridels.blogspot.com/2005/11/top-music-module-for-php-nuke-sql-inj.html

This is a r0t one... I checked out the source and he does a lot of this for protection before
sending it the database.
	$title=str_replace("'","''",$title);

I don't feel like digging through all the source, but this seems like insufficient protection against 
sql injection, and I don't see any other filtering in the files I looked at.

Sadly, s/he didn't leave a contact email, and I can't find one on the site, so I can't follow up.




More information about the VIM mailing list