[VIM] Vendor dispute of OvBB issue (r0t) - seems legit
Steven M. Christey
coley at mitre.org
Wed Nov 30 00:57:17 EST 2005
The front page of http://www.ovbb.org has a dispute of the recent
r0t-reported OvBB issues:
November 29, 2005
There have been several vulnerability reports released in the past
week regarding OvBB, that claim there are at least two instances of
user input being used without being properly sanitized. However,
these reports are completely unsubstantial.
To be clear: there are no known security holes in the system; plenty
of bugs, but none that are known to pose a security risk.
If you have any questions or comments regarding this, don't hesitate
to contact me.
I did some source review and their claim seems legit:
$iThreadID = mysql_real_escape_string($_REQUEST['threadid']);
$sqlResult = sqlquery("SELECT thread.title, thread.parent, COUNT(post.id) AS postcount, thread.poll, thread.open, thread.visible, thread.sticky, thread.notes FROM thread LEFT JOIN post ON (post.parent = thread.id) WHERE thread.id=$iThreadID GROUP BY thread.title");
$iUserID = mysql_real_escape_string($_REQUEST['userid']);
$sqlResult = sqlquery("SELECT * FROM member WHERE id=$iUserID");
NOTE however that there is no verification that threadid and userid
are numeric, which could mean that r0t might have triggered an error
of some sort.
More information about the VIM