oss-security - Re: CVE request: Serendipity before 1.6.2 SQL Injection

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Date: Tue, 22 May 2012 12:43:59 +0300
From: Henri Salo <henri@...v.fi>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request: Serendipity before 1.6.2 SQL
 Injection

On Tue, May 22, 2012 at 11:05:02AM +0200, Hanno Böck wrote:
> Upstream:
> http://blog.s9y.org/archives/241-Serendipity-1.6.2-released.html
> Advisory:
> https://www.htbridge.com/advisory/HTB23092
> 
> Upstream description of the issue:
> "The error here is that input is not properly validated and can be used
> (when magic_quotes_gpc is off) to inject SQL code to a SQL query; since
> our DB layer does not execute multiple statements, and the involved SQL
> query is not used to produce output code, we regard the impact as low.
> Nevertheless, please upgrade your installation."
> 
> Please assign CVE.
> 
> -- 
> Hanno Böck		mail/jabber: hanno@...eck.de
> GPG: BBB51E42		http://www.hboeck.de/

Is this same as: http://seclists.org/oss-sec/2012/q2/352

It looks to me as a same issue.

- Henri Salo

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.