Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 11 Jun 2012 10:49:25 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Dex <0x41@...h.ai>
Subject: Re: Re: WHMCS 5.0.2> SQLi CVE Request

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/07/2012 09:53 AM, Dex wrote:
> Because securityfocus seem incapable of reading code, which I
> guess should be expected from an operation like that, they link to
> the vuln check code. The exploit code is available at PacketStorm: 
> http://packetstormsecurity.org/files/113106/WHMCS-Blind-SQL-Injection.html
>
>  On Thursday, June 07, 2012 at 4:48 PM, Dex  wrote:Hello all I'd
> like to  request a CVE for this bug please so that I can be 
> cool/save the planet.http://www.securityfocus.com/bid/53711 It is
> what was patched with this patch from WHMCS 
> http://www.securityfocus.com/bid/53770http://blog.whmcs.com/?t=47828
>
> 
Thanks in advance,dx7r
> I hate myself for this.

So I looked at the info and the patch and there isn't really much info
apart from "SQL Injection" and the patch is base64 and requires some
special loader. Can someone post the actual PHP and/or details, a
bugzilla, or?


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJP1iGVAAoJEBYNRVNeJnmTgOcQAI4Eo/L7IzbFOiY19+zVzoEu
Gg+JzbX1T5mr7Ymp8eho9l25bGVYZSzjsk1wm7c7zEdcShxMeFQhH6eHGJ7Q1vEg
R8tTVF0Cp9kKL4SLxcMU3gePUv/N0r0PTtVuuhDy/XrEQOhTR38UXID8HSE6lVo0
XeQJ1026O+rQPGipfCFOocXZ+bFkcbEcBTH9r0xeCLF3I5zFvtOKKVraChkakbVt
tj4fX9XDCuu+d1Dc5PkQ2DTETlDLIgIAkMFTCyIe3GdQqXHNh6hNh1r2ZOX7p22s
wSYtL8r3R/4wF4VhFab7ZZfR/zciyGPg4u0bNIIdSGtRaHGGwLAIW743uWkp5sLh
8it3f5i8VVGn/C7PWqGwT8eIaCVz1Vr36sVpELW4OYnKyHEfgxfHOoVyU+kaxHi/
pOeYfwh8J+HixvtRs729Ktq40KDrvfx6jU5SUrmATgRWDlWLDEQ5NIRCZNbWdFgu
8WXH6ntN6v6hOfdR7OgbPcRNX2thVSDyvU+YzZf505BvuFo4F8LteKKZxlKGE/QR
5Ez+Js3jr+wLL11c/Vi+xHkpa9dYXOGIDN7WMzhVHJGcnrh6+G+JrN1cNQ1BVHp1
IJG40KT/QKIqBmU2rShi0ydxTGmu5yYtBioIAHwCxTKQ3nQ5ACzeQKljF7YRh9yE
9M91KeD4LEqIa8FJyRss
=Ntgp
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.