On Wed, 17 Jun 2009, Pierre Chifflier wrote: > On Wednesday 17 June 2009 05:27:49 James Andrewartha wrote: > > Pierre, > > > > The bug in download.php is still there in lenny, why did you close > > the bug? > > Hi James, > > I closed the bug because the advisory [1] stated 1.02 while Lenny > version is 1.01. > Additionally, this injection does not work here: > http://xxx.xxx.xxx.xxx/ocsreports/download.php?n=1&dl=2&o=3&v=4%27union+all+select+concat(id, > %27:%27,passwd)+from+operators%23 > > And returns an empty file. However, I agree this needs further > investigation to check if 1.01 is vulnerable too. Do you have some > working example ? I'll check on my side if the code is similar in 1.01 > and 1.02
magic_quotes in php.ini protects against this attack, but if I turn it off it works. -- # TRS-80 trs80(a)ucc.gu.uwa.edu.au #/ "Otherwise Bub here will do \ # UCC Wheel Member http://trs80.ucc.asn.au/ #| what squirrels do best | [ "There's nobody getting rich writing ]| -- Collect and hide your | [ software that I know of" -- Bill Gates, 1980 ]\ nuts." -- Acid Reflux #231 / -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org