03/05/04 12:51am  

unknowed

Anonymous
/index.php?page=
/forum/createtopic.php?method=newtopic&forum=~
/forum/createtopic.php?method=newtopic&forum=:.

Even an empty page is exploitable

/forum/createtopic.php?method=&forum=6

want more?
 03/05/04 03:26am  
Status: offline

Dirk

Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Just because it throws an SQL error doesn't automatically mean it's "exploitable". Although I have to agree that the forum could do some more thorough parameter checking.

Besides, your first and last example don't do anything.

If you're seriously interested in helping with security issues, please see our security page.

bye, Dirk
 03/05/04 09:59am  
Status: offline

Blaine

Forum User
Moderator
Registered: 07/16/02
Posts: 1232
I have been making version 2.3beta releases available from my site since early January. This version includes code to filter all input parameters for possible hostile data.
Geeklog components by PortalParts -- www.portalparts.com
 03/05/04 01:20pm  

unknowed

Anonymous
Quote by Dirk: Just because it throws an SQL error doesn't automatically mean it's "exploitable". Although I have to agree that the forum could do some more thorough parameter checking.

Besides, your first and last example don't do anything.

If you're seriously interested in helping with security issues, please see our security page.

bye, Dirk


You want to bet?
 03/05/04 01:24pm  

unknowed

Anonymous
btw.. my first and last exmaple was filtered the character should be \
 03/05/04 01:25pm  

unknowed

Anonymous
sorry forward slash