[35795] in bugtraq
Re: PHP BB bug
daemon@ATHENA.MIT.EDU (Micheal Cottingham)
Tue Jul 20 00:44:43 2004
Message-ID: <40FABB80.4060408@michealcottingham.com>
Date: Sun, 18 Jul 2004 14:03:44 -0400
From: Micheal Cottingham <webmaster@michealcottingham.com>
MIME-Version: 1.0
To: Christian Jonassen <flyrev@gmail.com>
Cc: bugtraq@securityfocus.com
In-Reply-To: <2493bd410407180814376d96d3@mail.gmail.com>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
As per the Project Manager of phpBB, it is an added feature. (I spoke to
him about this already.) There is no exploit or bug.
Christian Jonassen wrote:
>Hmm.
>
>Highlighting everything---what's dangerous about that?
>
> - Christian NJ
>
>On Thu, 15 Jul 2004 16:04:21 -0400, micheal@michealcottingham.com
><micheal@michealcottingham.com> wrote:
>
>
>>Actually, I found that it doesn't matter if an SQL query is there or not.
>>
>>Example:
>>
>>http://www.example.com/viewtopic.php?t=12345&highlight=bug,%20*
>>
>>Something like:
>>
>>http://www.example.com/viewtopic.php?t=12345&highlight=bug,*
>>
>>does not work however. There doesn't _appear_ to be any exploit here,
>>though granted I did not check this a great deal.
>>
>>--------------------------------------------------------------------
>>mail2web - Check your email from the web at
>>http://mail2web.com/ .
>>
>>
>>
>>
>
>
>
