Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 12 Nov 2010 16:20:07 -0500 (EST)
From: Josh Bressers <>
Cc: coley <>
Subject: Re: CVE request: Joomla 1.5.21 SQL Injection and
 Information Disclosure

----- "Henri Salo" <> wrote:

> Hash: SHA1
> Can I get CVE-identifier for this issue?
> "Multiple vulnerabilities have been discovered in Joomla, which can be
> exploited by malicious people to conduct SQL injection attacks.
> Input passed via the "filter_order" and "filter_order_Dir" parameters to
> index.php (e.g. when "option" is set to "com_weblinks", "com_contact", or
> "com_messages") is not properly verified before being used in a SQL
> query. This can be exploited to manipulate SQL queries by injecting
> limited SQL code, which may result in e.g. information disclosure via
> database errors."
> Vulnerable versions: 1.5.21 and all previous 1.5 releases
> Solution: Update to 1.5.22 (or later)
> Referers:

This one is confusing. The full-disclosure post also seems to cover
CVE-2010-3712, which was fixed in Joomla 1.5.21.

For the SQL injection issues, let's use CVE-2010-4166.



Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ