[VIM] Vendor dispute - CVE-2006-3249 (Phorum search.php)
Steven M. Christey
coley at mitre.org
Mon Jul 3 12:41:53 EDT 2006
FYI. This was a r0t disclosure. I haven't investigated more closely.
The bulk of the vendor e-mail to us is quoted in the CVE.
** DISPUTED **
SQL injection vulnerability in search.php in Phorum 5.1.14 and earlier
allows remote attackers to execute arbitrary SQL commands via the page
parameter. NOTE: the vendor has disputed this report, stating "If a
non positive integer or non-integer is used for the page parameter for
a search URL, the search query will use a negative number for the
LIMIT clause. This causes the query to break, showing no results. It
IS NOT however a sql injection error." While the original report is
from a researcher with mixed accuracy, as of 20060703, CVE does not
have any additional information regarding this issue.
More information about the VIM