Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 22 Jun 2016 16:48:55 -0500
From: John Lightsey <john@...nuts.net>
To: cve-assign@...re.org
Cc: oss-security@...ts.openwall.com
Subject: Re: CVE request: SQL injection in MovableType xml-rpc interface

On Wed, 2016-06-22 at 17:34 -0400, cve-assign@...re.org wrote:
> > SixApart just released new versions of MovableType 6.2 and 6.1 to fix an SQL
> > injection in the xml-rpc interface. 
> 
> > https://movabletype.org/news/2016/06/movable_type_626_and_613_released.html
> 
> This says:
> 
> >> Previous versions, including Movable Type 6.2.4 and 6.1.2, are
> >> susceptible to SQL injection attacks via XML-RPC interface.
> 
> >> AFFECTED VERSIONS OF MOVABLE TYPE
> 
> >>    Movable Type Pro 6.0.x, 6.1.x, 6.2.x
> >>    Movable Type Advanced 6.0.x, 6.1.x, 6.2.x
> 
> Use CVE-2016-5742.
> 
> > The vulnerability also affects the older GPLv2 licensed MovableType
> > 5.2.13.
> 
> Is there a separate public reference stating that 5.2.13 is affected?
> Or, do you mean that you've done your own analysis and concluded
> that 5.2.13 has the same vulnerability as 6.x? (Either one seems
> fine, and wouldn't affect the number of CVE IDs - we are mostly
> interested in linking the CVE to the primary-source reference about
> the 5.2.13 vulnerability, if such a reference exists elsewhere.)
> 

I sent the original vulnerability report to SixApart and based my report on the
5.2.13 version of the code.
Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ