[VIM] vendor ACK for MGB Guestbook issue
Steven M. Christey
coley at mitre.org
Thu Jan 18 18:55:43 EST 2007
Researcher: SlimTim10
Ref: http://www.milw0rm.com/exploits/3141
Today Jan 18, the vendor site is:
http://www.tv-kritik.net/mgb/index.php
A google translation says: "18.01.2007 | MGB 0.5.4.6 publishes SAFETY
UPDATE/SECURITY UPDATES... the hacker attacks of yesterday forced me
briefly before the publication of the MGB 0,6 to it. The safety gap
over the hackers entrance created myself, I eliminated."
Previous posts have similar related discussion.
A diff between 0.5.4.5 and 0.5.4.6 was rather extensive, but review of
email.php shows:
> $getid = htmlspecialchars(stripslashes(strip_tags(trim($_GET[id]))), ENT_QUOTES);
20c23
...
< $sql="SELECT email, name FROM $db[entrys] WHERE id=".$_GET[id]." ORDER BY ID DESC";
...
> $query = "SELECT email, name FROM $db[entrys] WHERE id='".$getid."' LIMIT 1";
which is obviously intended to cleanse the id parameter from
email.php, although the use of htmlspecialchars in an SQL query seems
prone to error.
- Steve
More information about the VIM
mailing list