Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <Pine.GSO.4.51.0909011346420.5392@faron.mitre.org>
Date: Tue, 1 Sep 2009 13:46:46 -0400 (EDT)
From: "Steven M. Christey" <coley@...us.mitre.org>
To: oss-security@...ts.openwall.com
Subject: Re: CVE id request: spip


======================================================
Name: CVE-2009-3041
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3041
Reference: MISC:http://fil.rezo.net/secu-14346-14350+14354.patch
Reference: CONFIRM:http://www.spip-contrib.net/SPIP-Security-Alert-new-version
Reference: BID:36008
Reference: URL:http://www.securityfocus.com/bid/36008
Reference: SECUNIA:36365
Reference: URL:http://secunia.com/advisories/36365
Reference: XF:spip-unspecified-unauth-access(52381)
Reference: URL:http://xforce.iss.net/xforce/xfdb/52381

SPIP 1.9 before 1.9.2i and 2.0.x through 2.0.8 does not use proper
access control for (1) ecrire/exec/install.php and (2)
ecrire/index.php, which allows remote attackers to conduct
unauthorized activities related to installation and backups, as
exploited in the wild in August 2009.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.