[VIM] Claimed SQL injection in ArticleLive

Steven M. Christey coley at linus.mitre.org
Tue May 10 22:01:30 EDT 2005

On Tue, 10 May 2005, security curmudgeon wrote:

> : FYI, Diabolic Crab's recent advisory on ArticleLive claims SQL
> : injection, but doesn't provide any clear examples:
> :
> :   http://www.digitalparadox.org/advisories/inal.txt
> :   http://marc.theaimsgroup.com/?l=bugtraq&m=111530871724865&w=2
> :
> : A modified Query parameter to the search utility is given, and the
> : parameter starts with the "'" character, but the resulting error message
> : suggests straightforward "information-leak-on-error" without any
> : apparent relation to SQL injection.
> Very likely the case. If he can trigger *any* error with *any* vague SQL
> syntax or related words, he assumes it is an SQL injection.

If it generates an SQL-related error then that should be enough to label
it SQL injection - although conditions might render it non-exploitable.
But you aren't always even given the error message.  This is in the
general case, not just Diabolic Crab's.

Unfortunately, the lack of solid diagnosis is a common researcher error.

- Steve

More information about the VIM mailing list