lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <1108717367.7489.3.camel@ganesh.mgeng.com>
Date: Fri, 18 Feb 2005 10:02:47 +0100
From: Giacomo Rizzo <a_l_t_o_s@...oo.it>
To: bugtraq@...urityfocus.com
Subject: Re: Possible phpBB  <=2.0.11 bug or sql injection?

It does not seems to be a SQL injection vulnerability. In fact, it just
looks like a wrong replacement, but it's confined into the 'string'.

Actually the real problem is that this error, when debug mode is active,
make anyone discover the $prefix value, that should be kept secret in
case of blind sql injections...

Gacomo
-- 
#                    @@@
#                   (0 0)
=================ooO=(_)=Ooo=======================================
# Nome: Giacomo Rizzo [ aka: alt-os ] - http://www.free-os.it
# OS: Gnu (Slackware 10.0/Linux 2.6.7)
# --
# Coordinatore HANC (http://www.hancproject.org)
# Coordinatore POuL (http://www.poul.org)
# --
# Linux Registered User: #331781, Linux Registered Machine: #216123
===================================================================


Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ