[VIM] misinterpretation? (Re: Vice Stats 0.5b SQL injection)

Stuart Moore smoore at securityglobal.net
Wed Jun 14 21:33:29 EDT 2006


Follow up to *my* misterpretation (the "1%" case :-o)

Even though the code used the recommended mysql_real_escape_string() 
function on the user input, the invocation of the filtered parameter was 
missing two single quote characters and I didn't pick up on that:

<       WHERE r.ID='{$_GET['ID']}'";
---
 >       WHERE r.ID={$_GET['ID']}";

Stuart



security curmudgeon wrote:
> : I have asked crazy cracker for more details.  I'm 99% certain this is a 
> : mis-diagnosis.
> 
> Vendor confirmed it and mentioned a second vulnerable file.
> 
> --
> 
> http://www.arantius.com/topic/vice+stats
> 
> Topic: Vice Stats
> VS Release Version 1.0.1
> 2006-06-10 15:28 - Vice Stats
> 
> Hot on the tails of the version 1.0 release, some kind soul reported a 
> security vulnerability to secunia rather than to me directly. Either way, 
> it's fixed now, and is only inside the reporting interface. If you use 
> the multi-user option (which is password protected) or otherwise limit 
> availability to vs_resources.php and vs_search.php then you have no 
> problems.
> 
> Bugfixes:
> 
>     * Security fixes in vs_resource.php and vs_search.php for potential 
> SQL injection.
> 
> Download here:
> 
>     * vicestats-1.0.1.tar.gz - 695,730 bytes
>     * vicestats-1.0.1.zip - 705,661 bytes
> 
> 
> 


More information about the VIM mailing list