('binary' encoding is not supported, stored as-is) I recently found out that someone I knew was running this vuln application. After informing them it was vuln they were dissapointed at the fact that they could no longer use the program as the author has not supplied a fix. Anyway, here is a quick fix i threw together to take care of the problem. Basically it eregs the input to only allow numbers, and checks to make sure the number is no greater than 10 and no less than 1. I also closed off the variable in the SQL query that was allowing the SQL injection to be possible. Get the fix here http://www.gulftech.org/vuln/pafiledbsqlfix.zip This should solve any problems encountered until the vendor releases an "official" fix or a new version of PaFileDB. Cheers, JeiAr ---------------------------------------- GulfTech Computers http://www.gulftech.org
This archive was generated by hypermail 2b30 : Thu May 29 2003 - 22:14:05 PDT