: I believe that this thing has been discovered and fixed long time ago. : check this out, maybe I am wrong: : http://www.gnucitizen.org/writings/php-fusion-messages.php-sql-injection-vulnerability.xhtml Your advisory: POST fields pm_email_notify and pm_save_sent are not properly sanitized. Rgod's advisory: msg_send=' UNION SELECT [..] BID 14489 / OSVDB 18708: msg_view=' So three advisories or points of disclosure, 4 different variables, all in messages.php it seems. Close, but this seems like a different issue.
