Re: phpWebSite 0.10.1 Full SQL Injection

[h4cky0u <h4cky0u.org () gmail com>]

Hi Kevin,

As you can see the whole issue was found and researched by a
member(matrix_kller) at the h4cky0u.org site, i was told that the
vendors had been notified and that he had never heard back from them.
If that is not true then i apologise on his behalf. Anyways i would be
looking forward for a more secure release of your script. Thanks.

On 8/17/05, Kevin Wilcox <kevin () tux appstate edu> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> h4cky0u wrote:
>
> <snip details>
>
> > VENDOR STATUS:
> > ===============
> > The vendors were contacted but no response received.
>
> As one of the core developers I would like to say two things.
>
> First - thank you for finding and reporting this bug. We have yet to be
> able to do anything useful with it, i.e., select from or insert into any
> db tables, but it is definitely a bug that needs patching and that you
> were able to find it and report it is the beauty of OSS.
>
> Secondly - this bug was *never* reported directly to the phpWebsite
> development team. It was posted (publicly) to the bug list on
> sourceforge but, despite phone/fax numbers, mailing addresses and email
> addresses being readily available (one click away on
> http://phpwebsite.appstate.edu, the homepage of the project), no direct
> contact was ever attempted with the core development team.
>
> A minor release, 0.10.2, is to be released today which incorporates this
> and other bug fixes.
>
> Kevin Wilcox
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (GNU/Linux)
>
> iD8DBQFDA0Nt7XWNuvsOTiYRAkeDAKC5derCJqcTTgHLkjVn6a8xN/EVKgCgwETz
> ZPi8nxxQMeuj/hbkLRNEoG4=
> =W2hD
> -----END PGP SIGNATURE-----


-- 
http://www.h4cky0u.org
(In)Security at its best...
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/