Date: Thu, 15 Sep 2016 00:58:24 -0400 (EDT) From: cve-assign@...re.org To: dregad@...tisbt.org Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: ADOdb PDO driver: incorrect quoting may allow SQL injection -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > ADOdb 5.x, qstr() method, > improperly quoting strings resulting in a potential SQL injection attack > vector. > Note that it is not recommended to write SQL as per the above ... > https://github.com/ADOdb/ADOdb/issues/226 > https://github.com/ADOdb/ADOdb/commit/bd9eca9f40220f9918ec3cc7ae9ef422b3e448b8 >> SECURITY: ADODB qstr does not quote properly with PDO >> labels >> security >>> Should I assume from the silence that no CVE is required for this ? It only means that the CVE Team at MITRE is not in an optimal position to decide whether a CVE ID should exist for a specific library issue that's exploitable only when application code has used that library in a "not recommended" way. It's best for a maintainer to suggest what outcome they prefer, e.g., "it's not recommended but people still can use ADOdb that way; thus, we consider this a required security fix." Because "security" is still present in the title and labels of 226, we're making the conclusion that this is a security problem and assigning an ID, CVE-2016-7405. >>>> That's true, but I never did in the past, as this mailing list is (or was?) >>>> monitored by mitre, so posting here has been sufficient until now. The current situation is that the CVE Team at MITRE receives both the oss-security messages and the https://cveform.mitre.org form output. We let people choose either method for obtaining a CVE ID from us, depending on their disclosure goals, their perspective about open pre-assignment discussion, or other factors. People using https://cveform.mitre.org are free to forward our replies to oss-security if they're relevant to the list, e.g., http://www.openwall.com/lists/oss-security/2016/09/08/14 did this. - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJX2indAAoJEHb/MwWLVhi2YqoQAIYLL1M8cHumDhNP7YH3uBaP QTsrzO2a2XF51eB4o+bgnht9lLI5eGeOqRdcsT1LfviSH4D/cIRwDTCn3lhykgI0 bWdypB/Pkni2rlHaiIcxB8T9Qxcy/BI4JGjEv8BTJZ68YfN7I64PXkUKEGXDb5L3 0t/vOhzILU+9M2nep50LMeehPIVxyvBla7EIhhVN1fiV6cZAaTSb9MfG/0nBC8xo EmipAxQmFX6l/5O46cB9jt81rlWdVTt5t3grhlFn0N0VQvHGVX+kW5kYz391wZMS bEmDQDQRkvPdJQHEws8lzCGql1eX+cFuiptHLWjMIQZ7FxXQultR+ECVgd6i3q1L HjKoHin1x/LqRyWp3pQMnnvqyjV4o/MUpMC5KPZdZalCcFLqenc/pboKugBa2pkT weop+fXTS9fadfd9WSgMLCWXWu/OyseszqSGM74JJu1IJXlwa8cb24/GHjIrjvsC FZfk5u8xE4zaV+I8y5Dq/pDwSG6nH/AcZT51c44k+vpEl/kXPuhwPEcZTzmnknKw S5K9NLksiD0jqogHf595Okt0FopH+86aPwePye1JvmXFBfQf26DCswRg+1/p3g09 GXYT9leG+v8lFMXf9g3tzL5yq+ENlSKlkFbJq7k1uGdsKUOdMrGhqToWkeJYSp0D SNkQDCDU0zfiY/s8xutp =Gaft -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.