[VIM] misinterpretation? (Re: Vice Stats 0.5b SQL injection)
Stuart Moore
smoore at securityglobal.net
Wed Jun 14 21:33:29 EDT 2006
Follow up to *my* misterpretation (the "1%" case :-o)
Even though the code used the recommended mysql_real_escape_string()
function on the user input, the invocation of the filtered parameter was
missing two single quote characters and I didn't pick up on that:
< WHERE r.ID='{$_GET['ID']}'";
---
> WHERE r.ID={$_GET['ID']}";
Stuart
security curmudgeon wrote:
> : I have asked crazy cracker for more details. I'm 99% certain this is a
> : mis-diagnosis.
>
> Vendor confirmed it and mentioned a second vulnerable file.
>
> --
>
> http://www.arantius.com/topic/vice+stats
>
> Topic: Vice Stats
> VS Release Version 1.0.1
> 2006-06-10 15:28 - Vice Stats
>
> Hot on the tails of the version 1.0 release, some kind soul reported a
> security vulnerability to secunia rather than to me directly. Either way,
> it's fixed now, and is only inside the reporting interface. If you use
> the multi-user option (which is password protected) or otherwise limit
> availability to vs_resources.php and vs_search.php then you have no
> problems.
>
> Bugfixes:
>
> * Security fixes in vs_resource.php and vs_search.php for potential
> SQL injection.
>
> Download here:
>
> * vicestats-1.0.1.tar.gz - 695,730 bytes
> * vicestats-1.0.1.zip - 705,661 bytes
>
>
>
More information about the VIM
mailing list