[VIM] site-specific or bad product name? SQL injection PKs Movie Database
Steven M. Christey
coley at mitre.org
Wed Feb 13 17:56:25 UTC 2008
Regarding the SQL injection in MILW0RM:5095 /
http://www.milw0rm.com/exploits/5095 , one of our analysts found that
it doesn't quite look like a real product, and/or is site-specific.
Any ideas?
The researcher's Dork query locates the warriordvds.com web
site. The bottom of the page begins with "PKs Movie Database version
3.0.3 is licensed via ... PK-Designs.com." As of 20080212, the
PK-Designs.com web site doesn't list a product named PKs Movie
Database. The bottom of warriordvds.com also says "Powered by: Ant
Movie Catalog." Ant Movie Catalog is a distributable product
(www.antp.be/software/moviecatalog); however, it does not seem to be
the product in question. First, it is implemented in Pascal and
apparently does not make any use of PHP (there is no
index.php). Second, the history page indicates that 3.1.0 came after
3.0.1; there was no 3.0.3. Third, it apparently does not make use of
the parameters mentioned in the MILW0RM:5095 disclosure. Given that
some uses of PKs Movie Database are "Powered by: Ant Movie Catalog,"
it seems likely that PKs Movie Database is a set of data about
movies, not a product with its own executable files. Thus, perhaps
the disclosure is actually about an unknown PHP application that
also happens to use version 3.0.3 of the PKs Movie Database data.
- Steve
More information about the VIM
mailing list