[VIM] WF-Sections SQL injection vendor ack; shows up in other modules

Steven M. Christey coley at mitre.org
Wed Apr 11 22:47:29 UTC 2007


Researcher: ajann

Refs: milw0rm 3644, 3645, 3646

Probably only OSVDB and CVE make these distinctions, but these recent
disclosures all seem to stem from the same core module called
"WF-Section: 1.01 (which was apparently renamed to "WF-Sections 1.02"
in the fix).  Looks like WF-Section(s) was popular enough that others
wanted to modify it.

Vendor ack is here:

  http://www.xoops.org/modules/news/article.php?storyid=3717
  http://addons.zarilia.com/index.php?page_type=static&id=43

Diff's between WF-Sections 1.02's print.php and the print.php's from
zmagazine and XFsection show sufficient commonality, but also
demonstrate that the modifications of the original WF-Sections code
were more than just a couple cosmetic changes, although version
discrepancies are probably making things worse, too.

- Steve


More information about the VIM mailing list