[VIM] SOBI2 showbiz SQL injection - false, or site-specific

George A. Theall theall at tenablesecurity.com
Sat Jan 31 00:57:08 UTC 2009

On Jan 30, 2009, at 6:50 PM, Steven M. Christey wrote:

> http://www.milw0rm.com/exploits/7841
> BID:33378 says the vendor disputed.
> I downloaded and grepped for "showbiz" and "bid"  and didn't find
> anything.
> Maybe this was some site-specific modification?

When I looked last week, the site mentioned in the milw0rm advisory  
appeared to be running SOBI2 RC 2.8.2. I have 2.8.4 as well as; there is no mention in either of 'showbiz'.  And if you  
google for 'inurl:option inurl:com_sobi2 inurl:showbiz', you only turn  
up that one site. I initially wasn't sure if the issue affected only  
older versions or it was site-specific, but with the vendor disputing  
the report, I'm inclined to believe them.

theall at tenablesecurity.com

More information about the VIM mailing list