[VIM] MOAUB #15 - PHP MicroCMS 1.0.1

Steven M. Christey coley at linus.mitre.org
Wed Sep 22 12:47:25 CDT 2010

Researcher: abysssec.com


Abysssec claims both username and password are affected, but their source 
extract of get_account_information() shows that the password is passed 
into an AES_ENCRYPT function, which presumably prevents SQL syntax from 
being injected.  Yet various VDBs also list the password.  Has anybody 
investigated this further?

- Steve

More information about the VIM mailing list