From: "Omid" <omid@hackers.ir.>
To: <bugtraq@securityfocus.com.>
Subject: Sql injection in Moodle
Date: Sun, 17 Sep 2006 10:18:48 +0430
User-Agent: Hackers.ir/1.0
MIME-Version: 1.0
Content-Type: text/plain;charset=utf-8
Content-Transfer-Encoding: 8bit
Importance: Normal
X-Priority: 3 (Normal)
X-Mailer: Hackers.ir/1.0
X-Virus-Scanned: antivirus-gw at tyumen.ru
Hi,
There is a sql injection in Moodle 1.6.1+ (and maybe
before versions) :
The "$blogEntry" parameter passed to "insert_record()"
function in /blog/edit.php, is not checked properly .
Version 1.6.2 has been released (moodle.org).
- Omid
