[VIM] Confirmation (source inspection) of various r0t-discovered issues

Steven M. Christey coley at mitre.org
Sun Nov 27 03:05:58 EST 2005

I've taken a small interest in observing r0t (r0t3d3Vil) since he's
done a whole lot of reports in the past couple of days in software
that hasn't been reported vulnerable before... plus his blog profile
says he's 14.

Most of his analyses are of for-purchase products, so I couldn't check
those.  At least one demo site for one vendor had been tested by him,
as his leftover XSS attempts indicated :-/ so some of his results
might be coming from tests of vendor demo sites.

Anyway, for some products with source available, I was able to confirm
- by source inspection only - several recent issues.


  searchFor is directly inserted into a $title variable.


  line 205 news.php -
  $where="AND c.category_id=".$_REQUEST['category']."";


  Multiple locations exist, including the title() function where a
  $_GET['id'] (line 174) is fed directly into a $query variable without
  quoting (line 179), which is then fed to mysql_query() (line 180).

  source code review of 1.3 shows that snews.php is the affected file.

For CVE-2005-3833 - Tunez "songinfo.php?song_id=[SQL]" SQL injection -
source code inspection of songinfo.php suggests that an addslashes()
is performed on the song_id parameter, so this report might be
incorrect or associated with a different type of issue, e.g. a SQL
error from a query with a non-numeric value.

- Steve

Name: CVE-2005-3834
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3834
Reference: MISC:http://pridels.blogspot.com/2005/11/tunez-sql-and-xss-vuln.html
Reference: BID:15548
Reference: URL:http://www.securityfocus.com/bid/15548
Reference: OSVDB:21063
Reference: URL:http://www.osvdb.org/21063
Reference: SECUNIA:17692
Reference: URL:http://secunia.com/advisories/17692

Cross-site scripting (XSS) vulnerability in search.php in Tunez 1.21
and earlier allows remote attackers to inject arbitrary web script or
HTML via the searchFor parameter.

Name: CVE-2005-3846
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3846
Reference: MISC:http://pridels.blogspot.com/2005/11/fantastic-news-category-sql-inj.html
Reference: FRSIRT:ADV-2005-2595
Reference: URL:http://www.frsirt.com/english/advisories/2005/2595

SQL injection vulnerability in news.php in Fantastic News 2.1.1 and
earlier allows remote attackers to execute arbitrary SQL commands via
the category parameter.

Name: CVE-2005-3853
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3853
Reference: MISC:http://pridels.blogspot.com/2005/11/snews-13-sql-injection.html
Reference: OSVDB:21093
Reference: URL:http://www.osvdb.org/21093
Reference: SECUNIA:17688
Reference: URL:http://secunia.com/advisories/17688

SQL injection vulnerability in snews.php in sNews 1.3 and earlier
allows remote attackers to execute arbitrary SQL commands via the (1)
id and (2) category parameters to index.php.

More information about the VIM mailing list