[VIM] Errors and oddities in Phorum 5.0.11 XSS/SQl injection

security curmudgeon jericho at attrition.org
Wed Aug 3 06:32:36 EDT 2005


Good catch here..

: OSVDB:11129 read.php SQL injection
: 
: SECUNIA:12980 - generic XSS and SQL injection

My internal note from 2004-10-24:

jericho: not sure where secunia gets the XSS, the original advisory just 
mentions one sql injection

: - Positive Technologies releases report on SQL injection in read.php
:   query string for Phorum 5.0.11
: 
:   MISC:http://www.maxpatrol.com/advdetails.asp?id=15
:   MISC:http://www.maxpatrol.com/mp_advisory.asp

Which is what I read that lead to above comment. Back then, I wasn't 
digging into changelogs as heavily as I do now.

: - Phorum releases 5.0.12.  Changelog says "XSS really gone now" and
:   "two instances of "fixed sql-injection issue"
: 
:   http://phorum.org/changelog-5.txt
: 
:   Not enough detail for me to be sure they fixed the SQL injection
:   issue.

Release: phorum.5.0.12
   * XSS really gone now - ts77 (10/27/2004)
   * fixed sql-injection issue - ts77 (10/25/2004)
   * fixed sql-injection issue - ts77 (10/24/2004)

:    http://phorum.org/cvs-changelog-5.txt
:   * shows SQL injection in read.php *AND* file.php
:   * lists XSS is in search.php

   * XSS really gone now - ts77 (10/27/2004)
      - /search.php
      - /search.php

   * fixed sql-injection issue - ts77 (10/25/2004)
      - /read.php
      - /read.php

   * fixed sql-injection issue - ts77 (10/24/2004)
      - /file.php
      - /file.php

:   - VDB's linked the XSS to Positive Technologies - but they never
:     report XSS

I'd guess Secunia originally mentioned both vulns in their advisory, 
credited a single source instead of breaking it up.

:   - some VDB's only had the vendor changelog and so didn't know it was
:     readphp
: 
:   - all/most VDB's missed that there are 2 SQL injections, one for
:     read.php and one for file.php

At the time the ptsecurity.ru site had almost no details, mentioned one 
SQL injection and I didn't dig into the changelog. So I was blindly 
following the information in front of me (not so bad in this case, as it 
was accurate at least), but I should have dug further.
 
:   - some VDB's said the XSS was for read.php but there's no evidence
:     of it.

Right, I think they were mixing up the 2nd SQL Injection with the 
search.php XSS issue. 

Off to make two more entries!

Again, very good catch here.

.b


More information about the VIM mailing list