Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 03 Mar 2014 09:36:04 +0100
From: Damien Regad <dregad@...tisbt.org>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request: MantisBT 1.2.13 SQL injection vulnerability

On 28.02.2014 21:05, cve-assign@...re.org 
wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>> http://www.mantisbt.org/bugs/view.php?id=17055
>
>> admin_config_report.php relied on unsanitized, inlined query parameters,
>> enabling a malicious user to perform an SQL injection attack.
>
> Use CVE-2014-2238.

Thank you.

FYI, the reporter confirmed that the patch indeed resolves the issue.

On 1 March 2014 09:46, Jakub Galczyk wrote:
 >
 > 2014-02-28 18:52 GMT+01:00 Damien Regad wrote:
 >
 >> You may have gone for the weekend and not seen my last message
 >> asking you to test the patch, so I went ahead and committed it. Let
 >> me know if the issue persists, I'll research further and make an
 >> additional fix as required.
 >>
 >> We'll probably release 1.2.17 next week, please try and confirm that
 >> the vulnerability is indeed gone on Monday if you can.
 >
 > Hi Damien,
 >
 > it works. Thank you once again!
 >
 > Best regards,
 > Jakub



---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.