[VIM] provable vendor ACK for PHPX SQL injection
Steven M. Christey
coley at mitre.org
Sun Dec 4 17:29:20 EST 2005
Vendor has a vague ACK at:
A patch is provided.
A diff between auth.inc.php in 3.5.9 versus the patch shows a new
check that $username is alphanumeric.
Reference: BUGTRAQ:20051130 PhpX <= 3.5.9 SQL Injection -> login bypass -> remote command/code execution
SQL injection vulnerability in auth.inc.php in PHPX 3.5.9 and earlier
allows remote attackers to execute arbitrary SQL commands, bypass
authentication, and upload arbitrary PHP code via the username
More information about the VIM