[VIM] Confirm: SimpleNews <= 1.0.0 FINAL SQL Injection Exploit

George A. Theall theall at tenablesecurity.com
Thu May 10 14:55:46 UTC 2007

In case anyone is interested... Silentz didn't mention anything about 
the vendor in his advisory (milw0rm 3886), but it comes from here:


The flaw is valid -- 'print.php' has this code:

         $news_id = $_GET['news_id'];

         $query = "SELECT * FROM simplenews_articles WHERE news_id = 
         $result = mysql_query($query)or die (mysql_error());

so as long as magic_quotes_gpc is disabled, as Silentz states, the 
exploit should work.

SecurityFocus has a BID for this (23904) but mistakenly claims the 
affected software is "SNS (Simple News System)", 
http://sourceforge.net/projects/phpsns, even though (1) the version 
numbers in the advisory and released by SNS don't match and (2) the 
affected script doesn't exist in SNS.

theall at tenablesecurity.com

More information about the VIM mailing list