[VIM] SQL Injections in phpwebsite

security curmudgeon jericho at attrition.org
Wed Mar 22 18:46:54 EST 2006


: Has anyone looked into the SQL injection flaws in phpwebsite announced here:
: 
:   http://www.securityfocus.com/archive/1/428156/30/0/threaded
: 
: SecurityFocus assigned it BID 17150 and Mitre CVE-2006-1330. The 
: advisory doesn't specify which versions are affected and I haven't found 
: anything about it on the project's site / forums / mailing lists, but 
: Secunia reports the solution is to upgrade to a version higher than 
: 0.8.3, which would mean 0.9.0, released early 2003.
: 
: The first issue does seem to be new, but the second appears to be the 
: same as that covered by CVE-2002-2178 / OSVDB 3850 and announced here:
: 
:   http://archives.neohapsis.com/archives/bugtraq/2002-10/0029.html

OSVDB 3850 covers "article.php HTML IMG tags XSS", not an SQL injection. 
Currently, none of our entries cover an SQL injection in friend.php or 
article.php. CVE 2002-2178 covers article.php sid variable injection, 
but uses it as an example for the IMG tag XSS.



More information about the VIM mailing list