[VIM] vendor dispute: VCS

[Steven M. Christey]

Why do these things seem to happen on Fridays?  OK, so this one was late
Thursday.

At first glance it looks like there could be a path disclosure infoleak,
but the "full path" being returned in the verbose error messages is the
same as the URL without the hostname portion, so it's probably NOT an
infoleak.

The URL provided by the vendor is for a demo site.

Using the following values for UpdateID0 yielded the following results:

  - 1594

    normal returned record ID 1594

  - 1590%2b4 (URL-encoded 1590+4)

     ORA-01722: invalid number

    (plus full pathname to the script)

  - [blank value]

      a blank value returned record ID 1758

  - 1

    Error Type:
    (0x80020009)
    Exception occurred.

    (plus path disclosure)

  - *

    Error Type:
    Microsoft OLE DB Provider for Oracle (0x80040E07)
    ORA-01722: invalid number

  - a

    Error Type:
    Microsoft OLE DB Provider for Oracle (0x80040E07)
    ORA-01722: invalid number

  - '

    Error Type:
    Microsoft OLE DB Provider for Oracle (0x80004005)
    ORA-01756: quoted string not properly terminated

   - -1

    Error Type:
    (0x80020009)
    Exception occurred.



Given that 1590+4 did NOT work, and some of the values say "invalid
number" and non-positive numbers yield exceptions, I'm tempted at the
moment to concur with the dispute, but I haven't studied SQL injection
deeply enough to know whether an inability to handle ' is *always* proof
of SQL injection - though I suspect not.

- Steve