[VIM] SQL Injections in phpwebsite
jericho at attrition.org
Wed Mar 22 18:46:54 EST 2006
: Has anyone looked into the SQL injection flaws in phpwebsite announced here:
: SecurityFocus assigned it BID 17150 and Mitre CVE-2006-1330. The
: advisory doesn't specify which versions are affected and I haven't found
: anything about it on the project's site / forums / mailing lists, but
: Secunia reports the solution is to upgrade to a version higher than
: 0.8.3, which would mean 0.9.0, released early 2003.
: The first issue does seem to be new, but the second appears to be the
: same as that covered by CVE-2002-2178 / OSVDB 3850 and announced here:
OSVDB 3850 covers "article.php HTML IMG tags XSS", not an SQL injection.
Currently, none of our entries cover an SQL injection in friend.php or
article.php. CVE 2002-2178 covers article.php sid variable injection,
but uses it as an example for the IMG tag XSS.
More information about the VIM