Date: Fri, 12 Nov 2010 22:48:16 +0200 From: Henri Salo <henri@...v.fi> To: "oss-security" <oss-security@...ts.openwall.com> Subject: CVE request: Joomla 1.5.21 SQL Injection and Information Disclosure -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Can I get CVE-identifier for this issue? "Multiple vulnerabilities have been discovered in Joomla, which can be exploited by malicious people to conduct SQL injection attacks. Input passed via the "filter_order" and "filter_order_Dir" parameters to index.php (e.g. when "option" is set to "com_weblinks", "com_contact", or "com_messages") is not properly verified before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting limited SQL code, which may result in e.g. information disclosure via database errors." Vulnerable versions: 1.5.21 and all previous 1.5 releases Solution: Update to 1.5.22 (or later) Referers: http://secunia.com/advisories/42133 http://developer.joomla.org/security/news/9-security/10-core-security/323-20101101-core-sqli-info-disclosurevulnerabilities.html http://archives.neohapsis.com/archives/fulldisclosure/2010-10/0514.html Best regards, Henri Salo -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkzdqBAACgkQXf6hBi6kbk8lFACgmpIFET/szRnKRNpVO0COQuFd pXcAoMwVjrf3/8PzOIOBuWkxMBW9lodS =AgJf -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ