Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 24 Jun 2014 12:10:54 +0200
From: Hanno Böck <hanno@...eck.de>
To: cve-assign@...re.org
Cc: oss-security@...ts.openwall.com
Subject: Re: CVE request: piwigo before 2.6.3 sql injection

On Tue, 24 Jun 2014 01:51:33 -0400 (EDT)
cve-assign@...re.org wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> > The Piwigo image gallery contains an sql injection before versions
> > 2.6.3 and 2.7.0_beta2
> > http://piwigo.org/bugs/view.php?id=3089
> > http://piwigo.org/dev/changeset/28678
> > http://piwigo.org/forum/viewtopic.php?id=24009
> 
> Are you sure about this? Changeset 28678 doesn't seem to have been
> implemented in the
> http://piwigo.org/download/dlcounter.php?code=26xto263 file that's
> recommended in the 2.6.3 Release Notes. Also,
> http://piwigo.org/bugs/changelog_page.php suggests that 3089 was fixed
> only in 2.7.0beta2, not in 2.6.3.

You are probably right and I'm wrong.

I also don't have any further info than the ones publicly available on
their webpage.

> http://piwigo.org/releases/2.6.3 says "[security] security failure
> reported and fixed by Christopher Chrapka, ojezu.org." Is this instead
> perhaps an unspecified vulnerability that is unrelated to the fix for
> bug 3089?

May very well be. So the sqj injection only affects the beta and we
have another "unclear" vulnerability and need two CVEs?

-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno@...eck.de
GPG: BBB51E42

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ