[VIM] Claimed SQL injection in ArticleLive

security curmudgeon jericho at attrition.org
Tue May 10 21:49:40 EDT 2005

: FYI, Diabolic Crab's recent advisory on ArticleLive claims SQL
: injection, but doesn't provide any clear examples:
:   http://www.digitalparadox.org/advisories/inal.txt
:   http://marc.theaimsgroup.com/?l=bugtraq&m=111530871724865&w=2
: A modified Query parameter to the search utility is given, and the 
: parameter starts with the "'" character, but the resulting error message 
: suggests straightforward "information-leak-on-error" without any 
: apparent relation to SQL injection.

Very likely the case. If he can trigger *any* error with *any* vague SQL 
syntax or related words, he assumes it is an SQL injection.

More information about the VIM mailing list