[VIM] Dragonfly Commerce disputes reports

security curmudgeon jericho at attrition.org
Mon Jul 18 02:16:59 EDT 2005

: Yes, the only way to really deal with them is to verify ourselves.
: Whichever side is true, I suspect that in general we'll see a lot of 
: these "invalid input" SQL problems being labeled as SQL injection.  
: Only makes sense for a SQL query to barf if it's given an non-numeric 
: argument for a numeric field, and quoting the input might stop injection 
: but it won't stop the query from failing.

It would be nice if someone respected on F-D or Bugtraq would make a post 
regarding 'vulnerability research' and touch on some of these issues. 
Mainly a) testing live sites isn't indicative of a vuln in the distributed 
product and b) throwing a ' in a field and getting an SQL error message 
isn't confirmation of an injection vulnerability.

I'm sure there are other things that are common, but those two come to 
mind first.

More information about the VIM mailing list