[VIM] misinterpretation? (Re: Vice Stats 0.5b SQL injection)

security curmudgeon jericho at attrition.org
Mon Jun 12 18:16:03 EDT 2006


: I have asked crazy cracker for more details.  I'm 99% certain this is a 
: mis-diagnosis.

Vendor confirmed it and mentioned a second vulnerable file.

--

http://www.arantius.com/topic/vice+stats

Topic: Vice Stats
VS Release Version 1.0.1
2006-06-10 15:28 - Vice Stats

Hot on the tails of the version 1.0 release, some kind soul reported a 
security vulnerability to secunia rather than to me directly. Either way, 
it's fixed now, and is only inside the reporting interface. If you use 
the multi-user option (which is password protected) or otherwise limit 
availability to vs_resources.php and vs_search.php then you have no 
problems.

Bugfixes:

    * Security fixes in vs_resource.php and vs_search.php for potential 
SQL injection.

Download here:

    * vicestats-1.0.1.tar.gz - 695,730 bytes
    * vicestats-1.0.1.zip - 705,661 bytes




More information about the VIM mailing list