[VIM] Missed vectors in SPIP SQL injection
Steven M. Christey
coley at mitre.org
Thu Feb 2 00:47:46 EST 2006
Based on this disclosure:
http://www.zone-h.org/en/advisories/read/id=8650/
Note how the disclosers also say:
or with any other variable (id_article, id_breve..) like:
Some VDBs are not mentioning id_breve.
Also, some VDBs missed this:
The vendor also discovered 2 potential sql injections in the session
handling and when posting "petitions" (maybe others).
In the interests of full disclosure, an analyst on the CVE content
team *also* missed this, but we all make mistakes as is so painfully
obvious every time Brian finds a CVE dupe that was my fault ;-)
- Steve
More information about the VIM
mailing list