[VIM] BID 31930 exploit
Steven M. Christey
coley at linus.mitre.org
Fri Nov 19 09:55:55 CST 2010
This kind of double encoding happens throughout the Bugtraq ID entries; I
see it on a regular basis. I thought I sent an inquiry about this a
couple years ago, but maybe I used the wrong email address.
In the early days of the CVE web site, we used to have this problem in our
search results. One routine would HTML-encode a single CVE description,
then each description in the results would get encoded again when it got
dumped into the full table (or something like that).
I've seen this kind of problem on other security sites over the years.
You can get similar issues related to SQL injection and double quoting of
apostrophes.
- Steve
On Thu, 18 Nov 2010, George A. Theall wrote:
>
> On Nov 18, 2010, at 5:10 AM, security curmudgeon wrote:
>
>>
>> http://www.securityfocus.com/bid/31930/exploit
>>
>> http://www.example.com/[path]/index.php?mod=2&nid=-268)%20UNION%20ALL%20SELECT%20version(),0,0,concat(username,0x3a,userpass),0,0,0,0,0,0,0,0,0%20FROM%20default_users
>>
>> http://www.example.com/[path]/index.php?mod=0&cpage=-114) UNION ALL
>> SELECT 0,0,0,0,0,version()--
>>
>> --
>>
>> Just want to confirm, it appears the "&" is actually some HTML decoding
>> snafu that is essentially doing & and an encoded &? seems like that should
>> be "&nid=" in the first example and "&cpage" in the second?
>
> Seems to be in error in the BID -- look at the advisory on Packet Storm and
> SecurityReason:
>
> http://packetstormsecurity.org/files/view/71280/tandiscms-sql.txt
> http://securityreason.com/exploitalert/5013
>
>
> George
> --
> theall at tenablesecurity.com
>
>
>
More information about the VIM
mailing list