Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 22 Jun 2016 16:48:55 -0500
From: John Lightsey <john@...nuts.net>
To: cve-assign@...re.org
Cc: oss-security@...ts.openwall.com
Subject: Re: CVE request: SQL injection in MovableType xml-rpc interface

On Wed, 2016-06-22 at 17:34 -0400, cve-assign@...re.org wrote:
> > SixApart just released new versions of MovableType 6.2 and 6.1 to fix an SQL
> > injection in the xml-rpc interface. 
> 
> > https://movabletype.org/news/2016/06/movable_type_626_and_613_released.html
> 
> This says:
> 
> >> Previous versions, including Movable Type 6.2.4 and 6.1.2, are
> >> susceptible to SQL injection attacks via XML-RPC interface.
> 
> >> AFFECTED VERSIONS OF MOVABLE TYPE
> 
> >>    Movable Type Pro 6.0.x, 6.1.x, 6.2.x
> >>    Movable Type Advanced 6.0.x, 6.1.x, 6.2.x
> 
> Use CVE-2016-5742.
> 
> > The vulnerability also affects the older GPLv2 licensed MovableType
> > 5.2.13.
> 
> Is there a separate public reference stating that 5.2.13 is affected?
> Or, do you mean that you've done your own analysis and concluded
> that 5.2.13 has the same vulnerability as 6.x? (Either one seems
> fine, and wouldn't affect the number of CVE IDs - we are mostly
> interested in linking the CVE to the primary-source reference about
> the 5.2.13 vulnerability, if such a reference exists elsewhere.)
> 

I sent the original vulnerability report to SixApart and based my report on the
5.2.13 version of the code.
Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.