[VIM] misinterpretation? (Re: Vice Stats 0.5b SQL injection)
security curmudgeon
jericho at attrition.org
Mon Jun 12 18:16:03 EDT 2006
: I have asked crazy cracker for more details. I'm 99% certain this is a
: mis-diagnosis.
Vendor confirmed it and mentioned a second vulnerable file.
--
http://www.arantius.com/topic/vice+stats
Topic: Vice Stats
VS Release Version 1.0.1
2006-06-10 15:28 - Vice Stats
Hot on the tails of the version 1.0 release, some kind soul reported a
security vulnerability to secunia rather than to me directly. Either way,
it's fixed now, and is only inside the reporting interface. If you use
the multi-user option (which is password protected) or otherwise limit
availability to vs_resources.php and vs_search.php then you have no
problems.
Bugfixes:
* Security fixes in vs_resource.php and vs_search.php for potential
SQL injection.
Download here:
* vicestats-1.0.1.tar.gz - 695,730 bytes
* vicestats-1.0.1.zip - 705,661 bytes
More information about the VIM
mailing list