[VIM] [OSVDB Mods] [Change Request] 21565: phpBB Blog index.php permalink Variable SQL Injection (fwd)
jericho at attrition.org
Fri Jan 13 08:37:04 EST 2006
---------- Forwarded message ----------
From: security curmudgeon <jericho at attrition.org>
To: Tony Boyd <tony at outshine.com>
Cc: moderators at osvdb.org
Date: Fri, 13 Jan 2006 08:36:52 -0500 (EST)
Subject: Re: [OSVDB Mods] [Change Request] 21565: phpBB Blog index.php permalink
Variable SQL Injection
: No errors. See here:
If I try:
It gives me the following error:
Querying the database didn't work. Feeling helpful? Email the webmaster.
SQL Error : 1064 You have an error in your SQL syntax. Check the manual
that corresponds to your MySQL server version for the right syntax to
use near 'AND topic_type=0 ORDER BY topic_time DESC LIMIT 1' at line 1
Notice the SQL error? While it didn't take a ' to cause it, that is no
doubt what the original discoverer saw that prompted them to make this
claim. So it appears that no input will cause the SQL error, but if you
actually try to pass any special characters, they are sanitized, as your
examples above show.
Would you agree?
More information about the VIM