On Wednesday 17 June 2009 15:25:57 Giuseppe Iuculano wrote:
> Hi Pierre,
>
> Pierre Chifflier ha scritto:
> > I closed the bug because the advisory [1] stated 1.02 while Lenny
> > version is 1.01.
>
> This doesn't imply that 1.01 isn't affected.
>

I fully agree, but you should quote correctly :

--8<-----------------
Additionally, this injection does not work here:
http://xxx.xxx.xxx.xxx/ocsreports/download.php?n=1&dl=2&o=3&v=4%27union+all+select+concat(id,
%27:%27,passwd)+from+operators%23
--8<-----------------

Apparently, the default Lenny install is not vulnerable (due to 
magic_quotes on or something like that). I'm looking to backport the fix 
in 1.01 anyway.

BR,
Pierre



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to