[VIM] Accidentally merged issues from ancient LokwaBB post

Steven M. Christey coley at mitre.org
Fri Jun 3 17:09:37 EDT 2005

SQL injection and form field tampering issues in LokwaBB were
announced by Frog Man way back in June 2002:

  BUGTRAQ:20020608 Security holes in LokwaBB and W-Agora

3 scripts were mentioned, namely member.php, misc.php, and pm.php.

member.php and misc.php are clearly SQL injection.

pm.php allows attackers to read messages by modifying the "pmid"
parameter/variable to arbitrary message IDs, which is NOT SQL injection.

However, multiple VDBs have inadvertently merged the pm.php issue with
the other issues.

Further clarification is obtained by reading Frog Man's more detailed
post at:


(a Google French-to-English translation is sufficient to get the point

- Steve

More information about the VIM mailing list