Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 15 Sep 2016 00:58:24 -0400 (EDT)
From: cve-assign@...re.org
To: dregad@...tisbt.org
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: ADOdb PDO driver: incorrect quoting may allow SQL injection

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> ADOdb 5.x, qstr() method,
> improperly quoting strings resulting in a potential SQL injection attack
> vector.

> Note that it is not recommended to write SQL as per the above ...

> https://github.com/ADOdb/ADOdb/issues/226
> https://github.com/ADOdb/ADOdb/commit/bd9eca9f40220f9918ec3cc7ae9ef422b3e448b8

>> SECURITY: ADODB qstr does not quote properly with PDO

>> labels
>> security

>>> Should I assume from the silence that no CVE is required for this ?

It only means that the CVE Team at MITRE is not in an optimal position
to decide whether a CVE ID should exist for a specific library issue
that's exploitable only when application code has used that library in
a "not recommended" way. It's best for a maintainer to suggest what
outcome they prefer, e.g., "it's not recommended but people still can
use ADOdb that way; thus, we consider this a required security fix."

Because "security" is still present in the title and labels of 226,
we're making the conclusion that this is a security problem and
assigning an ID, CVE-2016-7405.

>>>> That's true, but I never did in the past, as this mailing list is (or was?)
>>>> monitored by mitre, so posting here has been sufficient until now.

The current situation is that the CVE Team at MITRE receives both the
oss-security messages and the https://cveform.mitre.org form output.
We let people choose either method for obtaining a CVE ID from us,
depending on their disclosure goals, their perspective about open
pre-assignment discussion, or other factors. People using
https://cveform.mitre.org are free to forward our replies to
oss-security if they're relevant to the list, e.g.,
http://www.openwall.com/lists/oss-security/2016/09/08/14 did this.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJX2indAAoJEHb/MwWLVhi2YqoQAIYLL1M8cHumDhNP7YH3uBaP
QTsrzO2a2XF51eB4o+bgnht9lLI5eGeOqRdcsT1LfviSH4D/cIRwDTCn3lhykgI0
bWdypB/Pkni2rlHaiIcxB8T9Qxcy/BI4JGjEv8BTJZ68YfN7I64PXkUKEGXDb5L3
0t/vOhzILU+9M2nep50LMeehPIVxyvBla7EIhhVN1fiV6cZAaTSb9MfG/0nBC8xo
EmipAxQmFX6l/5O46cB9jt81rlWdVTt5t3grhlFn0N0VQvHGVX+kW5kYz391wZMS
bEmDQDQRkvPdJQHEws8lzCGql1eX+cFuiptHLWjMIQZ7FxXQultR+ECVgd6i3q1L
HjKoHin1x/LqRyWp3pQMnnvqyjV4o/MUpMC5KPZdZalCcFLqenc/pboKugBa2pkT
weop+fXTS9fadfd9WSgMLCWXWu/OyseszqSGM74JJu1IJXlwa8cb24/GHjIrjvsC
FZfk5u8xE4zaV+I8y5Dq/pDwSG6nH/AcZT51c44k+vpEl/kXPuhwPEcZTzmnknKw
S5K9NLksiD0jqogHf595Okt0FopH+86aPwePye1JvmXFBfQf26DCswRg+1/p3g09
GXYT9leG+v8lFMXf9g3tzL5yq+ENlSKlkFbJq7k1uGdsKUOdMrGhqToWkeJYSp0D
SNkQDCDU0zfiY/s8xutp
=Gaft
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ