<<< Date Index >>> <<< Thread Index >>>

Re: Vbulletin 3.7.0 Gold >> Sql injection on faq.php

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: Vbulletin 3.7.0 Gold >> Sql injection on faq.php
From: martin.meredith@xxxxxxxxxxxxx
Date: 21 May 2008 09:16:20 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

This is invalid. the variable q is taken, split into words, and then each word 
is escaped for usage within the DB. 

Once again, this is invalid

Follow-Ups:
- Re: Vbulletin 3.7.0 Gold >> Sql injection on faq.php
  - From: Matias Blanco

Prev by Date: [ MDVSA-2008:105 ] - Updated kernel packages fix vulnerabilities
Next by Date: [DSECRG-08-023] SAP Web Application Server XSS Security Vulnerability
Previous by thread: Vbulletin 3.7.0 Gold >> Sql injection on faq.php
Next by thread: Re: Vbulletin 3.7.0 Gold >> Sql injection on faq.php
Index(es):
- Date
- Thread