[VIM] SOBI2 showbiz SQL injection - false, or site-specific
George A. Theall
theall at tenablesecurity.com
Sat Jan 31 00:57:08 UTC 2009
On Jan 30, 2009, at 6:50 PM, Steven M. Christey wrote:
> http://www.milw0rm.com/exploits/7841
>
> BID:33378 says the vendor disputed.
>
> I downloaded and grepped for "showbiz" and "bid" and didn't find
> anything.
>
> Maybe this was some site-specific modification?
When I looked last week, the site mentioned in the milw0rm advisory
appeared to be running SOBI2 RC 2.8.2. I have 2.8.4 as well as
2.9.1.0; there is no mention in either of 'showbiz'. And if you
google for 'inurl:option inurl:com_sobi2 inurl:showbiz', you only turn
up that one site. I initially wasn't sure if the issue affected only
older versions or it was site-specific, but with the vendor disputing
the report, I'm inclined to believe them.
George
--
theall at tenablesecurity.com
More information about the VIM
mailing list