Pierre Chifflier ha scritto: > I fully agree, but you should quote correctly : > > --8<----------------- > Additionally, this injection does not work here: > http://xxx.xxx.xxx.xxx/ocsreports/download.php?n=1&dl=2&o=3&v=4%27union+all+select+concat(id, > %27:%27,passwd)+from+operators%23 > --8<----------------- > > Apparently, the default Lenny install is not vulnerable (due to > magic_quotes on or something like that). I'm looking to backport the fix > in 1.01 anyway.
I didn't check it, but if is true this vulnerability can be exploited only if magic_quotes is off and severity of this issue could be decreased. Cheers, Giuseppe.
signature.asc
Description: OpenPGP digital signature
