You almost got it... referrer is still vulnerable to sql injection... I can effectively recover the entire database with enough time and some trickiness... or I could just get your hashed password rather quickly... 10sec per char of md5... so ~5min
<br><br>This probably gives way to other vulns relying on URL validation class if the data is being inserted into the db.<br><br>Check the attached for a semi PoC. It would take more effort to develop a real PoC... and I'd have to install the plugin :), although it could be fun exercise in some python coding.
<br><br>-Matt<br><br><div><span class="gmail_quote">On 3/2/07, <b class="gmail_sendername">Jon Daley</b> <<a href="mailto:plogworld@jon.limedaley.com">plogworld@jon.limedaley.com</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Yes, it is. And actually it is appropriately labelled. I fixed it<br>up some - not sure if I completed all validation.<br><br>On Fri, 2 Mar 2007, Matt Wood wrote:<br>> InjectSQL eh? Thats a scary function name, threw off my gmail labeling
<br>> scheme ;)<br>_______________________________________________<br>pLog-svn mailing list<br><a href="mailto:pLog-svn@devel.lifetype.net">pLog-svn@devel.lifetype.net</a><br><a href="http://limedaley.com/mailman/listinfo/plog-svn">
http://limedaley.com/mailman/listinfo/plog-svn</a><br></blockquote></div><br>