On Wednesday 17 June 2009 05:27:49 James Andrewartha wrote: > Pierre, > > The bug in download.php is still there in lenny, why did you close > the bug?
Hi James, I closed the bug because the advisory [1] stated 1.02 while Lenny version is 1.01. Additionally, this injection does not work here: http://xxx.xxx.xxx.xxx/ocsreports/download.php?n=1&dl=2&o=3&v=4%27union+all+select+concat(id, %27:%27,passwd)+from+operators%23 And returns an empty file. However, I agree this needs further investigation to check if 1.01 is vulnerable too. Do you have some working example ? I'll check on my side if the code is similar in 1.01 and 1.02 Cheers, Pierre [1] http://archives.neohapsis.com/archives/bugtraq/2009-06/0009.html -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org