Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 12 Apr 2012 12:55:01 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Henri Salo <henri@...v.fi>, Stefan Schurtz <sschurtz@...nline.de>
Subject: Re: CVE-request: Wikidforum 2.10 multiple XSS and
 SQL-injection vulnerabilities SSCHADV2012-005

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/12/2012 01:49 AM, Henri Salo wrote:
> Hello,
> 
> These three 2012 issues are without CVE-identifiers. XSS
> vulnerabilities can be joined to one CVE if I am correct.
> 
> Affected version: 2.10 Advisory ID: SSCHADV2012-005 Bugtraq:
> http://seclists.org/bugtraq/2012/Mar/45
> 
> Vulnerabilities: http://osvdb.org/show/osvdb/80838 Wikidforum
> Search Field XSS http://osvdb.org/show/osvdb/80839 Wikidforum
> Advanced Search Multiple Field XSS 
> http://osvdb.org/show/osvdb/80840 Wikidforum Advanced Search
> Multiple Field SQL Injection

Please use CVE-2012-2099 for these XSS issues.

Also I couldn't really confirm the SQL injections so not assigning a
CVE, if you can find confirmation I'll assign a CVE.

> Advisory URLs: 
> http://www.darksecurity.de/advisories/2012/SSCHADV2012-005.txt 
> http://www.darksecurity.de/index.php?/202-SSCHADV2012-005-Wikidforum-2.10-Multiple-security-vulnerabilities.html
>
>  I also contacted vendor just to be sure:
> http://www.wikidforum.com/forum/forum-software_29/wikidforum-support_31/sschadv2012-005-unfixed-xss-and-sql-injection-security-vulnerabilities_188.html
>
>  - Henri Salo



- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPhyUEAAoJEBYNRVNeJnmTzvcP/2W/Flev8Z85jhhNRyPqkBlP
h3fVBEqE1WekN91HoQoU/EZnoRhKiMhcxtZCMy2L19nmUWZgFW+J5D10ioZ+TQJu
I9g4/cx9j1nkU46h2Y9nWB6VUu9yb9LD+ZCRPKD1IStDcXpSrNNouWJewQvnHF7K
sgc5NP60olPNfJ2DkbOlh0Vl/41o/BweeZ7DymU8pRW8bUk+fgy1Z5W6wmQcI5qm
LJzQZPkZM0m5x8G6t15Hjzcx4OG8cmQ84WyH08FIgZBn9B8tsz6bfFruCmCwaJH+
Ul9iqUS7ye5dha3+qFeFDDcnn20mG0aZwuP6WDD270MKqQ+ZkhyO+xKcehC2+Ua+
ISJKfgk6HE+8apgM2/vPtqi+MNMgYZGdFhy3PLmTkPXJ5c278a5b0r8j4LO0dOmP
s0sliL+pPVh/6O69vr/+lpglkPfaQN/ikoGMwavIEUtI7d5U3KmyJENO9G6iEO2Z
HLU+rf90DxY41MV1pHm23KkImLoz6aEnpUtKTV9nxJ8qoMttJy+OYALUEWG98N7s
E8U52Ja5YWW6ecDE7/Jc/nFruCixZSzfzlXML7tXpfLoSMMivEGVffNgut5jgw+M
uXwgUTgrrCRTjScQXOlvvOgjp2JX2hTPebztXu7kA8SKDOW9LLFNjnjzo87Yr/2s
Uz1yRzZmvGYs1m8olEwM
=eATf
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ