[VIM] QBv14 is a real downloadable product

Steven M. Christey coley at mitre.org
Thu May 25 01:18:10 EDT 2006


Ref:

   BUGTRAQ:20060522 QBv14 XSS
   URL:http://www.securityfocus.com/archive/1/archive/1/434823/100/0/threaded

I noticed vdb's haven't touched this yet.  They must still be poring
over the comprehensive details that were provided for this wildly
popular product.

A zip file was available from here:

  http://www.hotscripts.pl/downloads/php6/?M=A

I dunno if it's got XSS, but I glanced at acc.php and saw this:

  if ($_GET['request'] == "") {
  $page = "actions/main.php";
  }
  else {
  $page = "actions/" . $_GET['request'] . ".php";
  }
  include $page;

which, um, looks kinda suspicious.

- Steve


More information about the VIM mailing list