[VIM] misinterpretation? (Re: Vice Stats 0.5b SQL injection)
Stuart Moore
smoore at securityglobal.net
Thu Jun 8 18:09:59 EDT 2006
I have asked crazy cracker for more details. I'm 99% certain this is a
mis-diagnosis.
Stuart
Steven M. Christey wrote:
> immediate guess based on no research whatsoever is that a non-numeric
> input for ID would produce an SQL error, which the researcher might be
> mistakenly thinking is SQL injection.
>
> or maybe something like "OR 1 = 1" would work to retrive the wrong ID?
>
> just a couple guesses...
>
> On Thu, 8 Jun 2006, Stuart Moore wrote:
>
>> Hi. Can someone double check this? In the original "SQL injection"
>> report, it says:
>>
>> /vs_resource.php?ID=[SQL]
>>
>> But in the version 0.2beta, 0.5beta, and 1.0, the first reference to the
>> ID parameter is around line 99:
>>
>> $_GET['ID']=mysql_real_escape_string($_GET['ID']);
>>
>> This is just prior to the use of the ID parameter in:
>>
>> $sql="SELECT r.ID, r.type
>> FROM {$vs_dbPrefix}resource r
>> WHERE r.ID={$_GET['ID']}";
>> $result=mysql_query($sql);
>>
>> Thanks,
>>
>> Stuart
>>
>>
>
More information about the VIM
mailing list