Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sat, 16 Aug 2014 03:47:17 -0400 (EDT)
From: cve-assign@...re.org
To: oss-security@...ts.openwall.com, msalle@...hef.nl, wilcobh@...hef.nl, elbrus@...ian.org
Cc: cve-assign@...re.org
Subject: Re: CVE id request: cacti remote code execution and SQL injection

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> http://svn.cacti.net/viewvc?view=rev&revision=7454
> https://bugzilla.redhat.com/show_bug.cgi?id=1127165

> Since there is no check whether $size is actually a number, only that
> it starts with a number ... it's possible to insert commands by adding
> a ';' followed by any command.

Use CVE-2014-5261 for this issue involving shell metacharacters.


> Incomplete and incorrect input parsing leads to ... SQL injection
> attack scenarios

Use CVE-2014-5262 for the SQL injection.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJT7wwXAAoJEKllVAevmvmszMsH/jCWZKh5R2ZO8T0WC1t/gN5R
OjCyukw70QsOJtj/bYvHedMkKrkmGF3lpqKYV0vh6PZcc8tKiNNOQ1EK0pyqUyA3
fpPJzzb3tBvsr66lTUzicGb33L2ZXUSymbWOszaSDE4grt554KySkAe8dX+jztW7
Xk5aznEc4LBQZKG8TqK3i6bsA75aN8v/m0aXXh9QD1E0lYvR98tfBsGh6unAxZTR
NJPR3ZUTE6VorlBm1ikoPFcmuuGiNM3kPxawm1rFpOa8Zy9WuTlKJkY26eYK8x30
pm/AchyANfDLLwlkKIf/aUncCGKIvhGGo4+GGt2QeaBI8zEhvKVmr9ZeHApE1K0=
=x8CR
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.