Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20120522110502.3003260d@hsalkjdhsa.lan>
Date: Tue, 22 May 2012 11:05:02 +0200
From: Hanno Böck <hanno@...eck.de>
To: oss-security@...ts.openwall.com
Subject: CVE request: Serendipity before 1.6.2 SQL Injection

Upstream:
http://blog.s9y.org/archives/241-Serendipity-1.6.2-released.html
Advisory:
https://www.htbridge.com/advisory/HTB23092

Upstream description of the issue:
"The error here is that input is not properly validated and can be used
(when magic_quotes_gpc is off) to inject SQL code to a SQL query; since
our DB layer does not execute multiple statements, and the involved SQL
query is not used to produce output code, we regard the impact as low.
Nevertheless, please upgrade your installation."

Please assign CVE.

-- 
Hanno Böck		mail/jabber: hanno@...eck.de
GPG: BBB51E42		http://www.hboeck.de/

Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.