[VIM] Alternate theory on OvBB "SQL" vulnerability (fwd)
Steven M. Christey
coley at linus.mitre.org
Wed Nov 30 01:17:07 EST 2005
We'll see what the vendor says... Maybe one day I'll actually get PHP on
some system and check this stuff out for reals :)
---------- Forwarded message ----------
Date: Wed, 30 Nov 2005 01:16:02 -0500 (EST)
From: Steven M. Christey <coley at mitre.org>
To: jon at ovbb.org
Cc: coley at mitre.org
Subject: Alternate theory on OvBB "SQL" vulnerability
Hello,
I'm a vulnerability researcher for CVE, a standard naming scheme for
vulnerabilities.
I looked at the source code for 0.08a and see how you used
mysql_real_escape_string to sanitize the parameters in question.
However, you don't check that they are numeric.
If someone has PHP verbose errors on, and you provide the parameters
with a non-numeric argument, then would it generate a SQL error that
complains about the bad data type?
This could be what r0t saw that made him think it's SQL injection.
This is a common diagnostic error made by many beginning researchers.
- Steve
More information about the VIM
mailing list