Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 06 Mar 2012 12:38:49 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Henri Salo <henri@...v.fi>
Subject: Re: CVE-request: phxEventManager search.php search_terms
 Parameter SQL Injection

On 03/06/2012 12:06 AM, Henri Salo wrote:
> Can we assign 2012 CVE-identifier for this vulnerability?
> 
> http://www.osvdb.org/show/osvdb/79738
> 
> "phxEventManager contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the search.php script not properly sanitizing user-supplied input to the 'search_terms' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data."
> 
> Original report: http://seclists.org/fulldisclosure/2012/Mar/4
> Vendor report: http://sourceforge.net/tracker/?func=detail&atid=697109&aid=3496086&group_id=123602
> 
> - Henri Salo

Please use CVE-2012-1124 for this issue.

-- 
Kurt Seifried Red Hat Security Response Team (SRT)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ