Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 10 Mar 2015 13:12:16 -0400 (EDT)
Subject: Re: Instant v2.0 SQL Injection Vulnerability

Hash: SHA1

Are you able to identify this vulnerability within a specific download
of open-source software?

What we've been able to find is:
   (previous version of web site)
   (later version of web site)

The above archived page suggests that web sites
existed with "Powered By Instant v2.0 another OverCoffee production"
in the footer.

The archived page suggests that the company's goal was
"packages of web development services and applications." Linked pages
refer to "we provide all our clients with a log-in username and
password to their own area of the SelfServe control panel" and "we
partner with our clients from initial consultation through design,
hosting, and management."

This might mean that "Instant v2.0" was a web-design offering that
typically resulted in a web site hosted and maintained by the vendor.

To obtain a CVE ID on the oss-security list, it's necessary to
establish that the vendor has (currently or in the past) packaged the
product in question as open source.

To obtain a CVE ID at all, it's necessary to establish that there is
or was a specific packaged product. A CVE ID is not assigned for "web
development services" that create customer-specific sites/code, even
if multiple customers happened to receive a specific file (such as
product_cat.php) and a vulnerability is found in that file. Also, it's
necessary to establish that customers are responsible for security
updates of the specific packaged product. This is very often the case
if different installations of a product are installed on servers
controlled by different customers. In this situation, this seems
perhaps unlikely because the six example sites do not all have unique
IP addresses. (Admittedly, it's possible for a vendor to initially
maintain its customers' web sites but then later announce that the
customers need to start maintaining them on their own.)

Also, note that this vendor (apparently from Iowa in the U.S.) is not
the same as the InstantCMS vendor (see CVE-2013-6839), apparently
located in Russia.

To summarize:

  - if you know that this is open source, you can send more
    information about that to

  - if you don't know whether it's open source but know that "Instant
    v2.0" was shipped as a software package installable by arbitrary
    customers, you can send more information about that to (That address can be used, optionally, even
    if it is open source. Please do not send to both addresses.)

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Version: GnuPG v1.4.14 (SunOS)


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.