Re: Another YabbSE SQL Injection

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: Another YabbSE SQL Injection
From: Mike Bobbitt <mike@xxxxxxx>
Date: 16 Feb 2004 21:05:18 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

In-Reply-To: <002a01c3f4c3$d6eecc40$381e5a0a@desanet69>

Correction... the code change needs to be as follows:

Find:

 $quotemsg = $quote;

Change to:

 if ( $quote && !is_numeric($quote) )
 {
    die('Go out C==|=======>');
 }

 $quotemsg = $quote;

----

Otherwise you won't be able to use the standard reply button.

Cheers and thanks for the info.

Prev by Date: Re: W2K source "leaked"?
Next by Date: Re: Misinformation in Security Advisories (ASN.1)
Previous by thread: Another YabbSE SQL Injection
Next by thread: YABB information leakage on failed login
Index(es):
- Date
- Thread