[VIM] @1 File Store PRO SQL injection - the old gray dupe

str0ke str0ke at milw0rm.com
Tue Aug 25 22:17:05 UTC 2009


Steven M. Christey wrote:
> On Tue, 25 Aug 2009, str0ke wrote:
>
>   
>>> These vectors for the id parameter in config.php and download.php were
>>> also disclosed by eVuln in 2006, albeit for a different version (version
>>> 2006.03.07, non-pro).  See CVE-2006-1278
>>>       
>> Are you counting [MIL] 6040 as a dupe from CVE-2006-1278?
>>     
>
> Yes, though I'm half-expecting George to pipe up and throw a whole wrench
> into my logic ;-)
>
> - Steve
>
>   

The vendor stated they fixed the issue in 2006 and released a new
version 2. something.  You can tell by looking at the .zip files 3.2
came out in 2007 and if you look at the files they have been updated in
2009.  So version information wouldn't be correct since they update
source code without putting out new versions.  An extra variable is used
on the milw0rm's version as well, not sure if that could of bypassed the
fix?  The last sql injection that we actually have isn't ' 'ed so did
they add the single quotes around the query to fix the issues back in
2006 and not sanitize?

I'm betting by looking at timestamps they probably patched the 2008 vuln
in 2009 after missing something or built their 3.x version off of old
source.  Gah so many possibilities.




More information about the VIM mailing list