-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 selfar2002@xxxxxxxxxxx wrote: > --------------------------------------------------------------------------- > phpWebSite <= 0.10.? (topics.php) Remote SQL Injection Exploit > --------------------------------------------------------------------------- > Discovered By SnIpEr_SA > Author : SnIpEr_SA > Exploit in Perl : http://www.milw0rm.com/exploits/1525 > Remote : Yes > Local : No > Critical Level : Dangerous > --------------------------------------------------------------------------- > > Affected software description: > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > Application : phpWebSite > version : 0.10.? > URL : http://phpwebsite.appstate.edu/ > ... > ------------------------------------------------------------------ > Exploit: > ~~~~~~~~ > # http://example.com/path/topics.php?op=viewtopic&topic=-1 Union select name,name,pass,name From users where uid=1 <snip> This is incorrect. 0.10.0-full was the last release to ship with a topics.php file. The file was part of "convert". 0.10.x-core is NOT affected unless they were updates from earlier versions. The solution: delete "convert". 0.10.1-full and 0.10.2-full are NOT affected unless the site was an update from an earlier version. The solution: delete "convert". For all affected users: as "convert" is meant to be used ONCE to upgrade from a previous version, the best solution is to delete "convert". This is also a perfectly acceptable email address to use for vendor notification (which we greatly appreciate). Parties that notify us still receive due credit for finding the vulnerability. kw -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFEPo367XWNuvsOTiYRAmUIAJ9Gersjuiht91i5RF3q/TB+YFMq5ACeP9aM c2qgNA+gxN6pzaRfpOwsei8= =odzh -----END PGP SIGNATURE-----
