[VIM] Claimed SQL injection in ArticleLive
security curmudgeon
jericho at attrition.org
Tue May 10 22:11:59 EDT 2005
: > Very likely the case. If he can trigger *any* error with *any* vague SQL
: > syntax or related words, he assumes it is an SQL injection.
:
: If it generates an SQL-related error then that should be enough to label
: it SQL injection - although conditions might render it non-exploitable.
: But you aren't always even given the error message. This is in the
: general case, not just Diabolic Crab's.
Right. They assume that since it errors out, it is an SQL injection and
exploitable. The last one I found could only be used on my test box to
make a blog show all the posts at once. Since the blog had no 'private'
posts and it was all public, it essentially did nothing. Technically a
vulnerability, but so lame =)
More information about the VIM
mailing list