On Wednesday 17 June 2009 15:25:57 Giuseppe Iuculano wrote: > Hi Pierre, > > Pierre Chifflier ha scritto: > > I closed the bug because the advisory [1] stated 1.02 while Lenny > > version is 1.01. > > This doesn't imply that 1.01 isn't affected. >
I fully agree, but you should quote correctly : --8<----------------- Additionally, this injection does not work here: http://xxx.xxx.xxx.xxx/ocsreports/download.php?n=1&dl=2&o=3&v=4%27union+all+select+concat(id, %27:%27,passwd)+from+operators%23 --8<----------------- Apparently, the default Lenny install is not vulnerable (due to magic_quotes on or something like that). I'm looking to backport the fix in 1.01 anyway. BR, Pierre -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
