Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 28 Dec 2013 07:23:15 -0500 (EST)
From: cve-assign@...re.org
To: henri@...v.fi
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com, steveyken@...il.com,
        joernchen@...noelit.de
Subject: Re: CVE request: Fat Free CRM multiple vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> http://www.phenoelit.org/stuff/ffcrm.txt
> http://seclists.org/fulldisclosure/2013/Dec/199
> https://github.com/fatfreecrm/fat_free_crm/issues/300
> https://github.com/fatfreecrm/fat_free_crm/wiki/Fixing-security-vulnerabilities-%2827th-Dec-2013%29

> 1. Known Session Secret
> https://github.com/fatfreecrm/fat_free_crm/commit/93c182dd4c6f3620b721d2a15ba6a6ecab5669df

Use CVE-2013-7222.


> 2. Lack of CSRF Protection
> https://github.com/fatfreecrm/fat_free_crm/commit/a7fedbb36388bad0c0f32b2346481e0ea126dea6

Use CVE-2013-7223.


> 3. Default to_json for models
> https://github.com/fatfreecrm/fat_free_crm/commit/cf26a04b356ad2161c4c6160260eb870a3de5328

Use CVE-2013-7224.


> 4. Multiple SQL Injections
> https://github.com/fatfreecrm/fat_free_crm/commit/078035f1ef73ed85285ac9d128c3c5f670cef066
> https://github.com/fatfreecrm/fat_free_crm/commit/d4b2de81a4d8c1b201482edcb2488ed9280a65fd

Use CVE-2013-7225.

For item 3: if there is an information-disclosure vulnerability
involving to_xml, please let us know and we can assign an additional
CVE ID. The joernchen advisory mentioned only to_json, and therefore
to_xml has a different discoverer and may require a separate CVE ID.

If there is a denial of service issue involving :delete, please let us
know and we can assign an additional CVE ID. The joernchen advisory
mentioned only "renders JSON requests with a full JSON object," and
therefore :delete has a different discoverer and may require a
separate CVE ID.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJSvsH6AAoJEKllVAevmvmsjksIAMeaH2HBfTrSNt83LAy1Sk0c
Q+lexLe6vIsOQLeh02/vk4zk/piqcuQGcmTmpEQ+X5lT+7zwrBoZAe3/g36Nb+mM
uJh9gBzsJkq0JUnqRVn84e9gxnJpqXjUB0aRRhaFrMBKB5jdTDFpWzKWS77KVzhI
QlgEMBObp4WUQHjAfsZcN+cs+xWjMVvR7+rk1AWJ9hAjT02UBGigVNWe5PmDrb8z
/yqcrQiEFTENbdQKSjNxlSSoEFWxEUF1b4PInNl7451ep0Ee2ZKoi9bte8h8pgsP
rOzEsPzu0yevLI7Wgrvl+clSdesuvIi6/2kGklv5LTsM23Rw/spat4nkAuFPKlU=
=PZmt
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ