[VIM] MOAUB #15 - PHP MicroCMS 1.0.1
Steven M. Christey
coley at linus.mitre.org
Wed Sep 22 12:47:25 CDT 2010
Researcher: abysssec.com
http://www.exploit-db.com/exploits/15011/
Abysssec claims both username and password are affected, but their source
extract of get_account_information() shows that the password is passed
into an AES_ENCRYPT function, which presumably prevents SQL syntax from
being injected. Yet various VDBs also list the password. Has anybody
investigated this further?
- Steve
More information about the VIM
mailing list