Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 18 Apr 2012 11:13:29 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Henri Salo <henri@...v.fi>, advisories@...itunasecurity.com
Subject: Re: CVE-request: OpenEMR 4.1.0 SQL-injection

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/16/2012 11:31 PM, Henri Salo wrote:
> Hello,
> 
> Can I get 2012 CVE-identifier for SQL-injection in OpenEMR 4.1.0,
> thanks.
> 
> Original advisory: http://seclists.org/fulldisclosure/2012/Jan/27 
> OSVDB: http://osvdb.org/78132
> 
> """ Information -------------------- Name :  SQL Injection
> Vulnerability in OpenEMR Software :  OpenEMR 4.1.0 and possibly
> below. Vendor Homepage :  http://www.open-emr.org Vulnerability
> Type :  SQL Injection Severity :  Critical Researcher :  Canberk
> Bolat Advisory Reference :  NS-12-001
> 
> Description -------------------- OpenEMR is a Free and Open Source
> electronic health records and medical practice management
> application. OpenEMR is ONC Complete Ambulatory EHR certified and
> features fully integrated electronic health records, practice
> management, scheduling, electronic billing and
> internationalization.
> 
> Details -------------------- OpenEMR is affected by a SQL Injection
> vulnerability in version 4.1.0. Example PoC url is as follows :
> 
> http://example.com/interface/login/validateUser.php?u='%2b(SELECT%201%20FROM%20(SELECT%20SLEEP(25))A)%2b'
>
>  You can read the full article about SQL Injection vulnerability
> from here : http://www.mavitunasecurity.com/sql-injection/.
> 
> Solution -------------------- The vendor released a patch for this
> vulnerability. Please see the references.
> 
> Credits -------------------- It has been discovered on testing of
> Netsparker, Web Application Security Scanner -
> http://www.mavitunasecurity.com/netsparker/.
> 
> References -------------------- Vendor Url / Patch :
> http://www.open-emr.org/wiki/index.php/OpenEMR_Patches MSL Advisory
> Link 
> :http://www.mavitunasecurity.com/sql-injection-vulnerability-in-openemr/
>
> 
Netsparker Advisories :
http://www.mavitunasecurity.com/netsparker-advisories/

Please use CVE-2012-2115  for this issue.



- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPjvY5AAoJEBYNRVNeJnmTCfIQAJISQeUIZa5XtUU2Y/kZDuEM
NRGkMD4ls2cLdQG8hJE5yPWNH887RhcyoLWkPZKETOygt1QsOs2YzRmae/irPE1M
SBzijpDhommPYPs/RYUb6oaPv5nHZTD5y6ssN2sGDXZkStQdzEfdHxEagNgbIBYj
4hQEZDtEt5cKGUyuWvdrlj7pOpu57L5wieeTf+FdgyOTpEXo5eujsxa/IpaAh0Oi
u4NnVG8I26zCtPhJEYridHH8UUwjgcyzkjJiZmLDOInwfNB5ApFqOUNLu/QGo0sU
jLEsevlXzj5f08+sNNadVp6LTbK1ns5KH/obc6OxOAkF4qgg7ZSwNXem9P6vkhJH
mO/KvVH6V3l9fd6d/NF2OOzMBv/5dmSgjkpd3zTjEi4AE6PDIDfSOH8C0jqY/Bqx
7wmxn0Fia3UP7IIhzC6kTavIcWWOPrTFHdUs9iwOXOQK/+MgqwD0gik1Atoc6h8N
NE9+m4lKcEkMUNDGmTptV0ieEaQRI0tFKR6It3Ty5lHji/KLE9V+2r04LmMRwsiC
4aJNBWRt0+MtK8x59+RA1Q9knOcNNvzAxQS/NOv1EBtL56ncHaql5FRdsR6HjQGr
3jBd0IhbZGfQIT0gStRClFohNpe6m/XB4Kr1dHx/TkDPNILTvf9gAtHoO11Nba6/
4gI6bP6IH5DyFmXfHaCR
=0RXe
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ