[VIM] Claimed SQL injection in ArticleLive
security curmudgeon
jericho at attrition.org
Tue May 10 21:49:40 EDT 2005
: FYI, Diabolic Crab's recent advisory on ArticleLive claims SQL
: injection, but doesn't provide any clear examples:
:
: http://www.digitalparadox.org/advisories/inal.txt
: http://marc.theaimsgroup.com/?l=bugtraq&m=111530871724865&w=2
:
: A modified Query parameter to the search utility is given, and the
: parameter starts with the "'" character, but the resulting error message
: suggests straightforward "information-leak-on-error" without any
: apparent relation to SQL injection.
Very likely the case. If he can trigger *any* error with *any* vague SQL
syntax or related words, he assumes it is an SQL injection.
More information about the VIM
mailing list