Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 24 Jun 2014 12:10:54 +0200
From: Hanno Böck <hanno@...eck.de>
To: cve-assign@...re.org
Cc: oss-security@...ts.openwall.com
Subject: Re: CVE request: piwigo before 2.6.3 sql injection

On Tue, 24 Jun 2014 01:51:33 -0400 (EDT)
cve-assign@...re.org wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> > The Piwigo image gallery contains an sql injection before versions
> > 2.6.3 and 2.7.0_beta2
> > http://piwigo.org/bugs/view.php?id=3089
> > http://piwigo.org/dev/changeset/28678
> > http://piwigo.org/forum/viewtopic.php?id=24009
> 
> Are you sure about this? Changeset 28678 doesn't seem to have been
> implemented in the
> http://piwigo.org/download/dlcounter.php?code=26xto263 file that's
> recommended in the 2.6.3 Release Notes. Also,
> http://piwigo.org/bugs/changelog_page.php suggests that 3089 was fixed
> only in 2.7.0beta2, not in 2.6.3.

You are probably right and I'm wrong.

I also don't have any further info than the ones publicly available on
their webpage.

> http://piwigo.org/releases/2.6.3 says "[security] security failure
> reported and fixed by Christopher Chrapka, ojezu.org." Is this instead
> perhaps an unspecified vulnerability that is unrelated to the fix for
> bug 3089?

May very well be. So the sqj injection only affects the beta and we
have another "unclear" vulnerability and need two CVEs?

-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno@...eck.de
GPG: BBB51E42

Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.