[VIM] DF MSAnalysis SQL injection in CPG-Nuke Dragonfly CMS

Steven M. Christey coley at mitre.org
Wed Feb 15 23:50:37 EST 2006

While researching the linking.php Dragonfly issue, I fell down the
rabbit hole and found this gem of a forum post:


It deals with a victim of a hack attempt (previously not public?),
with lots of error messages.

Besides getting into the details of the linking.php issue, an SQL
injection problem also appears to exist in a module called "DF
MSAnalysis" which is some port of a product called "MSAnalysis", but
for Dragonfly products.  This appears to be a third party module, not
something maintained by CPG-Nuke.  URL is

This is a nice example for how XSS manipulations can expose SQL
injection issues.  (I'm calling it SQL injection but it someone thinks
it's just path disclosure and no more, definitely let me know :)

Check followup forum posts from musox and DJMaze.  Note clear if musox
is aware that the issue is in his/her product; I'll try to send an

- Steve

More information about the VIM mailing list