Follow-up Comment #3, sr #111093 (group administration): Hi Bob, thank you for reaching out to me.
I marked the ticket as disclosure because I am able to see the structure of the users table and the actual SQL query being executed. In my opinion users should not be able to see the raw queries, or database structure. Or any raw error messages/stack traces in general. Having this query disclosed I could try to do blind SQL injections by sending data like '; DROP TABLE users; -- for password/username/real name, for example. Or trying to change the admin user password hash in database with same technique. That said, by having better knowledge about the database structure I could try difefrent approaches to compromising it either by doing damage (trying drop queries) or privileges escalation (trying to update all password hashes in bulk). I'll have in mind your advice about uploading images vs. redacting text next time. Thank you. Best regards, Dimitar Nikov _______________________________________________________ Reply to this item at: <https://savannah.nongnu.org/support/?111093> _______________________________________________ Message sent via Savannah https://savannah.nongnu.org/
signature.asc
Description: PGP signature