[VIM] Accidentally merged issues from ancient LokwaBB post
Steven M. Christey
coley at mitre.org
Fri Jun 3 17:09:37 EDT 2005
SQL injection and form field tampering issues in LokwaBB were
announced by Frog Man way back in June 2002:
BUGTRAQ:20020608 Security holes in LokwaBB and W-Agora
URL:http://archives.neohapsis.com/archives/bugtraq/2002-06/0055.html
3 scripts were mentioned, namely member.php, misc.php, and pm.php.
member.php and misc.php are clearly SQL injection.
pm.php allows attackers to read messages by modifying the "pmid"
parameter/variable to arbitrary message IDs, which is NOT SQL injection.
However, multiple VDBs have inadvertently merged the pm.php issue with
the other issues.
Further clarification is obtained by reading Frog Man's more detailed
post at:
http://www.ifrance.com/kitetoua/tuto/LokwaBB.txt
(a Google French-to-English translation is sufficient to get the point
across).
- Steve
More information about the VIM
mailing list