[VIM] Vendor Dispute: PHP-Nuke Top Music Module Multiple Variable SQL Injection
Sullo
sullo at cirt.net
Tue May 9 00:26:43 EDT 2006
OSVDB-ID: 21397
Comment: "Hi, this vulnerability is a fake. SQL injection is controlled in all SQL sentences"
http://pridels.blogspot.com/2005/11/top-music-module-for-php-nuke-sql-inj.html
This is a r0t one... I checked out the source and he does a lot of this for protection before
sending it the database.
$title=str_replace("'","''",$title);
I don't feel like digging through all the source, but this seems like insufficient protection against
sql injection, and I don't see any other filtering in the files I looked at.
Sadly, s/he didn't leave a contact email, and I can't find one on the site, so I can't follow up.
More information about the VIM
mailing list