[VIM] Vendor dispute of OvBB issue (r0t) - seems legit

Steven M. Christey coley at mitre.org
Wed Nov 30 00:57:17 EST 2005

The front page of http://www.ovbb.org has a dispute  of the recent
r0t-reported OvBB issues:

  November 29, 2005

  There have been several vulnerability reports released in the past
  week regarding OvBB, that claim there are at least two instances of
  user input being used without being properly sanitized. However,
  these reports are completely unsubstantial.

  To be clear: there are no known security holes in the system; plenty
  of bugs, but none that are known to pose a security risk.

  If you have any questions or comments regarding this, don't hesitate
  to contact me.

I did some source review and their claim seems legit:


        $iThreadID = mysql_real_escape_string($_REQUEST['threadid']);


	$sqlResult = sqlquery("SELECT thread.title, thread.parent, COUNT(post.id) AS postcount, thread.poll, thread.open, thread.visible, thread.sticky, thread.notes FROM thread LEFT JOIN post ON (post.parent = thread.id) WHERE thread.id=$iThreadID GROUP BY thread.title");


	$iUserID = mysql_real_escape_string($_REQUEST['userid']);


	$sqlResult = sqlquery("SELECT * FROM member WHERE id=$iUserID");

NOTE however that there is no verification that threadid and userid
are numeric, which could mean that r0t might have triggered an error
of some sort.

- Steve

More information about the VIM mailing list