Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  news  community  lists  wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [thread-next>] [month] [year] [list] 
Date: Wed, 4 Jun 2008 22:50:52 +1000
From: Steffen Joeris <steffen.joeris@...lelinux.de>
To: oss-security@...ts.openwall.com
Subject: CVE id request: slash

Hi

I am not sure, if anyone asked for a CVE id for slash yet, if so please point 
to it and disregard this request.

The Slashdote (also just known as Slash) vulnerability was an SQL injection. 
Its effect was to allow a user with no special authorization to read any 
information from any table the Slash site's mysql user was authorized to read 
(which may include other databases, including information_schema).

Upstream announcement:
http://www.slashcode.com/article.pl?sid=08/01/07/2314232

Upstream patch:
http://slashcode.cvs.sourceforge.net/slashcode/slash/Slash/Utility/Environment/Environment.pm?r1=1.223&r2=1.225

Debian Bug report:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=484499



Cheers
Steffen

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux