Date: Mon, 03 Mar 2014 09:36:04 +0100 From: Damien Regad <dregad@...tisbt.org> To: oss-security@...ts.openwall.com Subject: Re: CVE request: MantisBT 1.2.13 SQL injection vulnerability On 28.02.2014 21:05, cve-assign@...re.org wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > >> http://www.mantisbt.org/bugs/view.php?id=17055 > >> admin_config_report.php relied on unsanitized, inlined query parameters, >> enabling a malicious user to perform an SQL injection attack. > > Use CVE-2014-2238. Thank you. FYI, the reporter confirmed that the patch indeed resolves the issue. On 1 March 2014 09:46, Jakub Galczyk wrote: > > 2014-02-28 18:52 GMT+01:00 Damien Regad wrote: > >> You may have gone for the weekend and not seen my last message >> asking you to test the patch, so I went ahead and committed it. Let >> me know if the issue persists, I'll research further and make an >> additional fix as required. >> >> We'll probably release 1.2.17 next week, please try and confirm that >> the vulnerability is indeed gone on Monday if you can. > > Hi Damien, > > it works. Thank you once again! > > Best regards, > Jakub --- This email is free from viruses and malware because avast! Antivirus protection is active. http://www.avast.com
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ