kdevelop.org website bug (vulnerability?)
Michael Rickert
mrickert85 at yahoo.com
Fri Sep 12 09:21:09 UTC 2003
Wasn't able to find a webmaster email over a
kdevelop.org, so I'm not sure if this is the email to
use or what.
I tried to search for "in the prefix, you've chosen,
are no KDE headers installed. This will fail."
(including quotes) for information about the configure
bug I was using. I got no results, and noted at the
top it displayed an SQL error:
You have an error in your SQL syntax near 've chosen,
are no KDE headers installed. This will fail.%' OR
body LIKE '%In t' at line 1
cutting it down to "o'v" (the single quote is the
problem) you can see a large amount of the SQL
request...
You have an error in your SQL syntax near 'v%' OR body
LIKE '%o'v%' ) ) order by datestamp desc' at line 1
not sure how close this is to letting people hack the
SQL server, but I thought I'd point out this bug
anyways. Upgrading Phorum may do it... I got around
the no results return by replacing the single quote
with two double quotes (creating two seperate search
strings)... even a simple hack like that would help.
Anyways, hope it's nothing serious. I'm no SQL pro :).
-Mike
__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com
More information about the kde-www
mailing list