Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <50256B29.3090902@redhat.com>
Date: Fri, 10 Aug 2012 14:12:25 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Adam Caudill <adam@...mcaudill.com>
Subject: Re: CVE Request: NeoInvoice Blind SQL Injection in
 signup_check.php

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/10/2012 02:55 AM, Adam Caudill wrote:
> All,
> 
> There is a blind SQL injection issue with NeoInvoice 
> (https://github.com/tlhunter/neoinvoice).
> 
> Requester: adam@...mcaudill.com Software: NeoInvoice Attack Type:
> Blind SQL Injection Vulnerable Code: 
> https://github.com/tlhunter/neoinvoice/blob/5e7af94641cba17df9141e95108c369cfb6e6dd5/public/signup_check.php#L29
>
>  Affected Version: Current version; project doesn't seem to be
> using versions.
> 
> Status: Author has been notified; awaiting a response.
> 
> -- Adam Caudill

$query = "SELECT $field FROM $table WHERE $field = '$value' LIMIT 1";

Please use CVE-2012-3477 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJQJWspAAoJEBYNRVNeJnmT2bQP/1/NoF9e+FT5wvGiM6w+YsGC
cwJ1IH5LK9gNHFWJFhMtYmciBn2GJiDLa6F8Kt1sn03wG51vNJlHxsV4R3QibxeQ
hzfQRtagf43q5AUathRbriMkHMAmWnLlknoxzOuIASMLX8i9Pa/oehpzVcLrYaNA
Le6zikMr6kmjHK6uMqwr9bueiYZWn96j1WpJFCG8DVMcK5ZGpUqsBAoDW7/A8XZK
eKiBMsepFD9+MRrnXfo43BQgC6P5WaYHF0L95STs2V9Nc89OgfezaZORrxjyIe7d
8EJoVkB4TINp3QDb6GJuPoSLMEM+KKHxiozCUYuPFkMM2EH4BskuO1xLEsL6Kp4v
JrEtCQ8dSQCvQ9z34hNU1rVWgUUgDWaFrHvj8eDA6PVuOn5Ufg9v5uYrd1nkBZ1Z
H2NyG6gcsYYWB5MlUOufCXCINWPN2cZs3eQ2brRPpl78dphkX7eBldMox8U6Wswh
YErACj655d0gXEqPQhod9PjwAzRjgzh2fH8R4F5cPzOj8lsIZiYwXcOdguxn0xVY
8Ja+GtjRfJ4ImORgy9r0xdy8kijkjbDlEcfwxH9mbF1ch7ZxGeDg8IEVsqRx14x2
VHNdZgkdymRrFtm9ogB7cr6qH2ncnrXCr6HNqtMZsDdm+F8aXJar//BPWgJuQQla
wbxhM/nlsAIj/BkrDPFU
=1VHg
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.