Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sun, 15 Apr 2012 11:03:58 +0300
From: Henri Salo <henri@...v.fi>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-request: Wikidforum 2.10 multiple XSS and
 SQL-injection vulnerabilities SSCHADV2012-005

On Fri, Apr 13, 2012 at 10:08:03AM -0600, Kurt Seifried wrote:
> Have you actually verified this first hand (e.g. done a successful SQL
> injection attack) against an installation of Wikidforum?

Nope. My SQL-injection guru-powers are not enough for this. I think something bad could be done via those unescaped inputs, but at the moment I can't make a proper PoC for the list so my vote goes for "no CVE" until someone gives working PoC for this.

I also created this item (no response yet) http://www.wikidforum.com/forum/forum-software_29/wikidforum-support_31/sschadv2012-005-unfixed-xss-and-sql-injection-security-vulnerabilities_188.html

- Henri Salo

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.