[VIM] security exploit - false positive (fwd)

Steven M. Christey coley at linus.mitre.org
Fri Jan 13 16:05:19 EST 2006


vendor ACK for phpBB blog (CVE-2005-4346).  Issue is actually in blog.php,
as included by index.php.

- Steve


---------- Forwarded message ----------
Date: Fri, 13 Jan 2006 12:47:22 -0800
From: Tony Boyd
To: Steven M. Christey <coley at rcf-smtp.mitre.org>
Subject: Re: security exploit - false positive

Steve,

[snip] I tried to reproduce the SQL injection, but could not.  And since I
strip out non-numeric characters, I couldn't conceive of how SQL code was
getting in.  I thought maybe my regex was leaky, but I couldn't find a way
to get around it in my own testing.

You are correct, when entering a single quote with nothing else, the
single quote is stripped, leaving no number.  This should cause an SQL
error, because no id was specified.  It doesn't mean SQL injection, though.


More information about the VIM mailing list