lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030529221710.13725.qmail@www.securityfocus.com>
Date: 29 May 2003 22:17:10 -0000
From: JeiAr <jeiar@...ms.com>
To: bugtraq@...urityfocus.com
Subject: PAFileDB SQL Injection Vulnerability & Ratings Cheat Fix




I recently found out that someone I knew was running this vuln 
application. After informing them it was vuln they were dissapointed at 
the fact that they could no longer use the program as the author has not 
supplied a fix. Anyway, here is a quick fix i threw together to take care 
of the problem. Basically it eregs the input to only allow numbers, and 
checks to make sure the number is no greater than 10 and no less than 1.
I also closed off the variable in the SQL query that was allowing the SQL 
injection to be possible. Get the fix here

http://www.gulftech.org/vuln/pafiledbsqlfix.zip

This should solve any problems encountered until the vendor releases 
an "official" fix or a new version of PaFileDB.


Cheers,

JeiAr


----------------------------------------
GulfTech Computers
http://www.gulftech.org


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ