Trivial Path Disclosure in AvantGo

Posted: Fri Apr 09, 2004 5:30 pm

While doing well something today. I found a what I call trivial path disclosure bug in AvantGo.

Simply type in the sid= the number of a deleted article like this:
modules.php?name=AvantGo&file=print&sid=27
Where 27 was removed and you get:
Warning: mysql_fetch_row(): supplied argument is not a valid MySQL result resource in /home/user_name/public_html/includes/sql_layer.php on line 286

This is not itself a big deal but its a piece of the puzzle and should be addressed. I'm sure its not the last bug but its certainly another.

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

Looks like this one [ Only registered users can see links on this board! Get registered or login! ]

Posted: Sat Apr 10, 2004 1:10 am

I thought it sounded familar but the site I noticed it on was one I would have believed fully patched. As the person is a rather well known shaker and rabble rouser in that community. Been kicked off more sites then me wink*