[VIM] Flax Article Manager SQL injection explanation

Steven M. Christey coley at linus.mitre.org
Mon Jun 1 17:43:26 UTC 2009


This is labeled as SQL injection but the cookie is merely being set to
some URL-encoded value ",21232f297a57a5a743894a0e4a801fc3", then the "2/"
portion of the exploit implies that you effectively need to know the ID
and password already.  Anybody know what's going on here?  (BTW the
product link is at http://www.flaxweb.com/products/articles)

- Steve

More information about the VIM mailing list