[VIM] Jemscripts DownloadControl 1.0 - at least 2 separate issues

Steven M. Christey coley at mitre.org
Tue May 23 11:42:22 EDT 2006

Jemscripts DownloadControl 1.0 has at least 2 separate issues in the
dcid parameter to dc.php, neither of which looks like SQL injection.

Ref: BUGTRAQ:20060519 Jemscripts Download Control v1.0

Claimed SQL injection, but the error message makes you go 'hmmm':

  Warning: file(datinfo36/\'\'/module_data.dat): failed to open
  stream: No such file or directory in
  /homepages/examplesite/downloadcontrol/functions.php on line 130

Now in my functions.php, *around* line 130 (but not exactly), we have:

  function get_module_data() {
  global $module_data;
  global $dcid;
  for ($i=0; $i<$module_array_size; $i++) {            

and in dc.php, we have:




So, the so-called "SQL injection" is, at best, an inability to handle
an invalid "dcid" parameter, and possibly directory traversal.

If we go a little further down dc.php, we see at least one vector for

  $fields.="<input type='hidden' name='dcid' value='$dcid'>";

This might be the vector that SECUNIA:20212 is reporting as XSS,
although "grep" suggests there might be other possibilities.  I
haven't investigated.

- Steve

More information about the VIM mailing list