Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 02 Mar 2013 19:31:35 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Henri Salo <henri@...v.fi>, come2waraxe@...oo.com
Subject: Re: CVE request: PHP-Fusion waraxe-2013-SA#097

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/02/2013 05:02 PM, Henri Salo wrote:
> Hello list,
> 
> Can I get CVEs for vulnerabilities fixed in PHP-Fusion version
> 7.02.06, thanks.
> 
> http://www.waraxe.us/advisory-97.html waraxe-2013-SA#097

Ok grouped these into the 5 sets of vulns:

> 
> OSVDB ID    title 90714     PHP-Fusion /downloads.php orderby
> Parameter SQL Injection 90713     PHP-Fusion /forum/postedit.php
> delete_attach_* Parameter SQL Injection 90712     PHP-Fusion
> /forum/postnewthread.php poll_opts Parameter SQL Injection 90711
> PHP-Fusion /administration/settings_messages.php Multiple Parameter
> SQL Injection 90710     PHP-Fusion
> /administration/settings_photo.php Multiple Parameter SQL Injection
>  90709     PHP-Fusion /administration/bbcodes.php enable Parameter
> SQL Injection 90695     PHP-Fusion /administration/news.php
> Multiple Parameter SQL
Injection
> 90693     PHP-Fusion /administration/articles.php article_id
Parameter SQL Injection
> 90359     PHP-Fusion includes/classes/Authenticate.class.php
Multiple Cookie SQL Injection

Please use CVE-2013-1803 for these issues.

> 90708     PHP-Fusion /forum/viewthread.php highlight Parameter XSS
>  90707     PHP-Fusion /messages.php Multiple Parameter XSS 90706
> PHP-Fusion /infusions/shoutbox_panel/shoutbox_admin.php message
> Parameter XSS 90705     PHP-Fusion /administration/news.php message
> Parameter XSS 90704     PHP-Fusion /administration/panel_editor.php
> panel_list Parameter XSS 90703     PHP-Fusion
> /administration/phpinfo.php User-Agent HTTP Header XSS 90702
> PHP-Fusion /administration/bbcodes.php __BBCODE__ Parameter XSS 
> 90701     PHP-Fusion /administration/article_cats.php Multiple
> Parameter XSS 90700     PHP-Fusion
> /administration/download_cats.php Multiple Parameter XSS 90699
> PHP-Fusion /administration/news_cats.php Multiple Parameter XSS 
> 90698     PHP-Fusion /administration/weblink_cats.php Multiple
> Parameter XSS 90697     PHP-Fusion /administration/articles.php
> Multiple Parameter XSS

Please use CVE-2013-1804 for these issues.

> 90696     PHP-Fusion /administration/db_backup.php file Parameter
> Traversal Arbitrary File Deletion

Please use CVE-2013-1805 for these issues.

> 90694     PHP-Fusion /maincore.php user_theme Parameter Traversal
> Local File Inclusion 90692     PHP-Fusion
> /administration/user_fields.php enable Parameter Traversal Local
> File Inclusion

Please use CVE-2013-1806 for these issues.

> 90691     PHP-Fusion /administration/db_backup.php Database Backup
> Direct Request Information Disclosure

Please use CVE-2013-1807 for these issues.

> -- Henri Salo
> 


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRMrYHAAoJEBYNRVNeJnmTCiwP/AnADFWBxSi7WZgdordsi2et
QxJEWJ6b20KCgDTTCNwrIkHgVuEptiLZBAdyb8vHGJH34s/2WOPBrb6cTybXhQMf
hgnjhRGOuk8i29Z8bG1eQxilfiyckmklLNITnfmWdSTI+o0ZwGNpxvfuE5lCCPMM
+T1gVp1GEx9+pbFTj9W3Ud/Rfozq4ESBqhG3gk1D5iG57yPKstpeS6m9HDMzD1ou
YVEH9QeqwUgxQHJ5EVV3ovs2zrHbNpoTOdS2Bqdm2P2xuQCXxwJQFquii9DC0FMb
HFdysguYxTBXBkFrV4YpPXGdpSGYkazsCb6WMjC7886FDOKH+LMZoDK5mY++sLr0
6AUtoc1L+X5KvpIrod2BUS4QMt4P6yJIndxkG+dvWUZWbjHReQjBwHNOtttnXRAd
vOpwxzu8rzxZVErentXXu+04nffcjaxPmnngoQCH6nwf+wwjyOdCqW0hnSopa6zm
RHp7X6kGuuXDUVELRI7seuUcCOnY2eCwlSe+rzMZZjtqlwovCW9Gpi0MhwK9YF1c
VXCVIi6jtJbFwPS9s5JKCaqV0hFyfvUi2gmuMehmAREtBGyMINX93i4lY2Kz8SId
bBQJH/hdpZsiAUZ295fbDuIEO9CvNKWOPm+cI7bujGh14deuBH48rlU62MhHlbbs
US+dX4d0lZe0DkK81o65
=KrvT
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.