[VIM] twice doubtful: Maran PHP Shop SQL injection issues

Steven M. Christey coley at linus.mitre.org
Thu Feb 26 00:07:40 UTC 2009

According to http://www.maran.pamil-visions.com/index.php, Maran PHP Shop
"don't use mySQL for DB, is using flat file .txt."

So it's interesting that at least two disclosures claim SQL injection.

CVE-2008-4880 / MILW0RM:6958

Researcher: d3v1l [Avram Marius]

CVE-2008-4879 / MILW0RM:6958

Researcher: JosS

I downloaded the code and grepped for "sql" and found nothing.  It's
pretty clear that the code uses flat files separated by "#" characters.
There's nothing I see in the source code that suggests where these
researchers came up with their conclusions.

Oddly, JosS presents a live URL.

- Steve

More information about the VIM mailing list