[VIM] twice doubtful: Maran PHP Shop SQL injection issues
Steven M. Christey
coley at linus.mitre.org
Thu Feb 26 00:07:40 UTC 2009
According to http://www.maran.pamil-visions.com/index.php, Maran PHP Shop
"don't use mySQL for DB, is using flat file .txt."
So it's interesting that at least two disclosures claim SQL injection.
CVE-2008-4880 / MILW0RM:6958
Researcher: d3v1l [Avram Marius]
CVE-2008-4879 / MILW0RM:6958
Researcher: JosS
I downloaded the code and grepped for "sql" and found nothing. It's
pretty clear that the code uses flat files separated by "#" characters.
There's nothing I see in the source code that suggests where these
researchers came up with their conclusions.
Oddly, JosS presents a live URL.
- Steve
More information about the VIM
mailing list