Date: Thu, 15 Sep 2016 00:58:24 -0400 (EDT) From: cve-assign@...re.org To: dregad@...tisbt.org Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: ADOdb PDO driver: incorrect quoting may allow SQL injection -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > ADOdb 5.x, qstr() method, > improperly quoting strings resulting in a potential SQL injection attack > vector. > Note that it is not recommended to write SQL as per the above ... > https://github.com/ADOdb/ADOdb/issues/226 > https://github.com/ADOdb/ADOdb/commit/bd9eca9f40220f9918ec3cc7ae9ef422b3e448b8 >> SECURITY: ADODB qstr does not quote properly with PDO >> labels >> security >>> Should I assume from the silence that no CVE is required for this ? It only means that the CVE Team at MITRE is not in an optimal position to decide whether a CVE ID should exist for a specific library issue that's exploitable only when application code has used that library in a "not recommended" way. It's best for a maintainer to suggest what outcome they prefer, e.g., "it's not recommended but people still can use ADOdb that way; thus, we consider this a required security fix." Because "security" is still present in the title and labels of 226, we're making the conclusion that this is a security problem and assigning an ID, CVE-2016-7405. >>>> That's true, but I never did in the past, as this mailing list is (or was?) >>>> monitored by mitre, so posting here has been sufficient until now. The current situation is that the CVE Team at MITRE receives both the oss-security messages and the https://cveform.mitre.org form output. We let people choose either method for obtaining a CVE ID from us, depending on their disclosure goals, their perspective about open pre-assignment discussion, or other factors. People using https://cveform.mitre.org are free to forward our replies to oss-security if they're relevant to the list, e.g., http://www.openwall.com/lists/oss-security/2016/09/08/14 did this. - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJX2indAAoJEHb/MwWLVhi2YqoQAIYLL1M8cHumDhNP7YH3uBaP QTsrzO2a2XF51eB4o+bgnht9lLI5eGeOqRdcsT1LfviSH4D/cIRwDTCn3lhykgI0 bWdypB/Pkni2rlHaiIcxB8T9Qxcy/BI4JGjEv8BTJZ68YfN7I64PXkUKEGXDb5L3 0t/vOhzILU+9M2nep50LMeehPIVxyvBla7EIhhVN1fiV6cZAaTSb9MfG/0nBC8xo EmipAxQmFX6l/5O46cB9jt81rlWdVTt5t3grhlFn0N0VQvHGVX+kW5kYz391wZMS bEmDQDQRkvPdJQHEws8lzCGql1eX+cFuiptHLWjMIQZ7FxXQultR+ECVgd6i3q1L HjKoHin1x/LqRyWp3pQMnnvqyjV4o/MUpMC5KPZdZalCcFLqenc/pboKugBa2pkT weop+fXTS9fadfd9WSgMLCWXWu/OyseszqSGM74JJu1IJXlwa8cb24/GHjIrjvsC FZfk5u8xE4zaV+I8y5Dq/pDwSG6nH/AcZT51c44k+vpEl/kXPuhwPEcZTzmnknKw S5K9NLksiD0jqogHf595Okt0FopH+86aPwePye1JvmXFBfQf26DCswRg+1/p3g09 GXYT9leG+v8lFMXf9g3tzL5yq+ENlSKlkFbJq7k1uGdsKUOdMrGhqToWkeJYSp0D SNkQDCDU0zfiY/s8xutp =Gaft -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ