Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 24 Jun 2014 12:10:54 +0200
From: Hanno Böck <>
Subject: Re: CVE request: piwigo before 2.6.3 sql injection

On Tue, 24 Jun 2014 01:51:33 -0400 (EDT) wrote:

> Hash: SHA1
> > The Piwigo image gallery contains an sql injection before versions
> > 2.6.3 and 2.7.0_beta2
> >
> >
> >
> Are you sure about this? Changeset 28678 doesn't seem to have been
> implemented in the
> file that's
> recommended in the 2.6.3 Release Notes. Also,
> suggests that 3089 was fixed
> only in 2.7.0beta2, not in 2.6.3.

You are probably right and I'm wrong.

I also don't have any further info than the ones publicly available on
their webpage.

> says "[security] security failure
> reported and fixed by Christopher Chrapka," Is this instead
> perhaps an unspecified vulnerability that is unrelated to the fix for
> bug 3089?

May very well be. So the sqj injection only affects the beta and we
have another "unclear" vulnerability and need two CVEs?

Hanno Böck


Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ