Bugtraq mailing list archives
Re: Possible phpBB <=2.0.11 bug or sql injection?
From: Giacomo Rizzo <a_l_t_o_s () yahoo it>
Date: Fri, 18 Feb 2005 10:02:47 +0100
It does not seems to be a SQL injection vulnerability. In fact, it just looks like a wrong replacement, but it's confined into the 'string'. Actually the real problem is that this error, when debug mode is active, make anyone discover the $prefix value, that should be kept secret in case of blind sql injections... Gacomo -- # @@@ # (0 0) =================ooO=(_)=Ooo======================================= # Nome: Giacomo Rizzo [ aka: alt-os ] - http://www.free-os.it # OS: Gnu (Slackware 10.0/Linux 2.6.7) # -- # Coordinatore HANC (http://www.hancproject.org) # Coordinatore POuL (http://www.poul.org) # -- # Linux Registered User: #331781, Linux Registered Machine: #216123 ===================================================================
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Possible phpBB <=2.0.11 bug or sql injection? jtm297 (Feb 17)
- RE: Possible phpBB <=2.0.11 bug or sql injection? Miguel Angel Rodríguez Jódar (Feb 19)
- Re: Possible phpBB <=2.0.11 bug or sql injection? kaosone+[ONE]+ (Feb 19)
- Re: Possible phpBB <=2.0.11 bug or sql injection? Giacomo Rizzo (Feb 19)
- <Possible follow-ups>
- Re: Possible phpBB <=2.0.11 bug or sql injection? Exoduks (Feb 19)