[VIM] Confirmation (source inspection) of various r0t-discovered
Steven M. Christey
coley at mitre.org
Sun Nov 27 03:05:58 EST 2005
I've taken a small interest in observing r0t (r0t3d3Vil) since he's
done a whole lot of reports in the past couple of days in software
that hasn't been reported vulnerable before... plus his blog profile
says he's 14.
Most of his analyses are of for-purchase products, so I couldn't check
those. At least one demo site for one vendor had been tested by him,
as his leftover XSS attempts indicated :-/ so some of his results
might be coming from tests of vendor demo sites.
Anyway, for some products with source available, I was able to confirm
- by source inspection only - several recent issues.
searchFor is directly inserted into a $title variable.
line 205 news.php -
Multiple locations exist, including the title() function where a
$_GET['id'] (line 174) is fed directly into a $query variable without
quoting (line 179), which is then fed to mysql_query() (line 180).
source code review of 1.3 shows that snews.php is the affected file.
For CVE-2005-3833 - Tunez "songinfo.php?song_id=[SQL]" SQL injection -
source code inspection of songinfo.php suggests that an addslashes()
is performed on the song_id parameter, so this report might be
incorrect or associated with a different type of issue, e.g. a SQL
error from a query with a non-numeric value.
Cross-site scripting (XSS) vulnerability in search.php in Tunez 1.21
and earlier allows remote attackers to inject arbitrary web script or
HTML via the searchFor parameter.
SQL injection vulnerability in news.php in Fantastic News 2.1.1 and
earlier allows remote attackers to execute arbitrary SQL commands via
the category parameter.
SQL injection vulnerability in snews.php in sNews 1.3 and earlier
allows remote attackers to execute arbitrary SQL commands via the (1)
id and (2) category parameters to index.php.
More information about the VIM