|
Message-ID: <20120415080358.GB20272@kludge.henri.nerv.fi> Date: Sun, 15 Apr 2012 11:03:58 +0300 From: Henri Salo <henri@...v.fi> To: oss-security@...ts.openwall.com Subject: Re: CVE-request: Wikidforum 2.10 multiple XSS and SQL-injection vulnerabilities SSCHADV2012-005 On Fri, Apr 13, 2012 at 10:08:03AM -0600, Kurt Seifried wrote: > Have you actually verified this first hand (e.g. done a successful SQL > injection attack) against an installation of Wikidforum? Nope. My SQL-injection guru-powers are not enough for this. I think something bad could be done via those unescaped inputs, but at the moment I can't make a proper PoC for the list so my vote goes for "no CVE" until someone gives working PoC for this. I also created this item (no response yet) http://www.wikidforum.com/forum/forum-software_29/wikidforum-support_31/sschadv2012-005-unfixed-xss-and-sql-injection-security-vulnerabilities_188.html - Henri Salo
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.