Date: Mon, 11 Jun 2012 10:49:25 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Dex <0x41@...h.ai> Subject: Re: Re: WHMCS 5.0.2> SQLi CVE Request -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 06/07/2012 09:53 AM, Dex wrote: > Because securityfocus seem incapable of reading code, which I > guess should be expected from an operation like that, they link to > the vuln check code. The exploit code is available at PacketStorm: > http://packetstormsecurity.org/files/113106/WHMCS-Blind-SQL-Injection.html > > On Thursday, June 07, 2012 at 4:48 PM, Dex wrote:Hello all I'd > like to request a CVE for this bug please so that I can be > cool/save the planet.http://www.securityfocus.com/bid/53711 It is > what was patched with this patch from WHMCS > http://www.securityfocus.com/bid/53770http://blog.whmcs.com/?t=47828 > > Thanks in advance,dx7r > I hate myself for this. So I looked at the info and the patch and there isn't really much info apart from "SQL Injection" and the patch is base64 and requires some special loader. Can someone post the actual PHP and/or details, a bugzilla, or? - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJP1iGVAAoJEBYNRVNeJnmTgOcQAI4Eo/L7IzbFOiY19+zVzoEu Gg+JzbX1T5mr7Ymp8eho9l25bGVYZSzjsk1wm7c7zEdcShxMeFQhH6eHGJ7Q1vEg R8tTVF0Cp9kKL4SLxcMU3gePUv/N0r0PTtVuuhDy/XrEQOhTR38UXID8HSE6lVo0 XeQJ1026O+rQPGipfCFOocXZ+bFkcbEcBTH9r0xeCLF3I5zFvtOKKVraChkakbVt tj4fX9XDCuu+d1Dc5PkQ2DTETlDLIgIAkMFTCyIe3GdQqXHNh6hNh1r2ZOX7p22s wSYtL8r3R/4wF4VhFab7ZZfR/zciyGPg4u0bNIIdSGtRaHGGwLAIW743uWkp5sLh 8it3f5i8VVGn/C7PWqGwT8eIaCVz1Vr36sVpELW4OYnKyHEfgxfHOoVyU+kaxHi/ pOeYfwh8J+HixvtRs729Ktq40KDrvfx6jU5SUrmATgRWDlWLDEQ5NIRCZNbWdFgu 8WXH6ntN6v6hOfdR7OgbPcRNX2thVSDyvU+YzZf505BvuFo4F8LteKKZxlKGE/QR 5Ez+Js3jr+wLL11c/Vi+xHkpa9dYXOGIDN7WMzhVHJGcnrh6+G+JrN1cNQ1BVHp1 IJG40KT/QKIqBmU2rShi0ydxTGmu5yYtBioIAHwCxTKQ3nQ5ACzeQKljF7YRh9yE 9M91KeD4LEqIa8FJyRss =Ntgp -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.