[VIM] Vendor dispute - CVE-2006-3249 (Phorum search.php)

Steven M. Christey coley at mitre.org
Mon Jul 3 12:41:53 EDT 2006

FYI.  This was a r0t disclosure.  I haven't investigated more closely.
The bulk of the vendor e-mail to us is quoted in the CVE.

- Steve

Name: CVE-2006-3249
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3249
Reference: MISC:http://pridels.blogspot.com/2006/06/phorum-sql-injection-vuln.html
Reference: MISC:http://www.phorum.org/cgi-bin/trac.cgi/ticket/382#preview


SQL injection vulnerability in search.php in Phorum 5.1.14 and earlier
allows remote attackers to execute arbitrary SQL commands via the page
parameter.  NOTE: the vendor has disputed this report, stating "If a
non positive integer or non-integer is used for the page parameter for
a search URL, the search query will use a negative number for the
LIMIT clause. This causes the query to break, showing no results.  It
IS NOT however a sql injection error."  While the original report is
from a researcher with mixed accuracy, as of 20060703, CVE does not
have any additional information regarding this issue.

More information about the VIM mailing list