Date: Tue, 06 Mar 2012 12:38:49 -0700 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Henri Salo <henri@...v.fi> Subject: Re: CVE-request: phxEventManager search.php search_terms Parameter SQL Injection On 03/06/2012 12:06 AM, Henri Salo wrote: > Can we assign 2012 CVE-identifier for this vulnerability? > > http://www.osvdb.org/show/osvdb/79738 > > "phxEventManager contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the search.php script not properly sanitizing user-supplied input to the 'search_terms' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data." > > Original report: http://seclists.org/fulldisclosure/2012/Mar/4 > Vendor report: http://sourceforge.net/tracker/?func=detail&atid=697109&aid=3496086&group_id=123602 > > - Henri Salo Please use CVE-2012-1124 for this issue. -- Kurt Seifried Red Hat Security Response Team (SRT)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ