[VIM] site-specific or bad product name? SQL injection PKs Movie Database

Steven M. Christey coley at mitre.org
Wed Feb 13 17:56:25 UTC 2008

Regarding the SQL injection in MILW0RM:5095 /
http://www.milw0rm.com/exploits/5095 , one of our analysts found that
it doesn't quite look like a real product, and/or is site-specific.
Any ideas?

  The researcher's Dork query locates the warriordvds.com web
  site. The bottom of the page begins with "PKs Movie Database version
  3.0.3 is licensed via ... PK-Designs.com." As of 20080212, the
  PK-Designs.com web site doesn't list a product named PKs Movie
  Database. The bottom of warriordvds.com also says "Powered by: Ant
  Movie Catalog." Ant Movie Catalog is a distributable product
  (www.antp.be/software/moviecatalog); however, it does not seem to be
  the product in question. First, it is implemented in Pascal and
  apparently does not make any use of PHP (there is no
  index.php). Second, the history page indicates that 3.1.0 came after
  3.0.1; there was no 3.0.3. Third, it apparently does not make use of
  the parameters mentioned in the MILW0RM:5095 disclosure. Given that
  some uses of PKs Movie Database are "Powered by: Ant Movie Catalog,"
  it seems likely that PKs Movie Database is a set of data about
  movies, not a product with its own executable files. Thus, perhaps
  the disclosure is actually about an unknown PHP application that
  also happens to use version 3.0.3 of the PKs Movie Database data.

- Steve

More information about the VIM mailing list