Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20121008125123.GI13520@kludge.henri.nerv.fi>
Date: Mon, 8 Oct 2012 15:51:23 +0300
From: Henri Salo <henri@...v.fi>
To: oss-security@...ts.openwall.com
Cc: Kurt Seifried <kseifried@...hat.com>
Subject: Re: CVE-request: SMF index.php msg parameter
 SQL-injection (2005)

On Fri, Sep 14, 2012 at 11:29:07AM -0600, Kurt Seifried wrote:
> On 09/14/2012 06:40 AM, Henri Salo wrote:
> > Hello list,
> > 
> > Old SQL-injection security issue in SMF does not have
> > CVE-identifier. Could you please assign one from year 2005,
> > thanks.
> > 
> > Affected versions: <= 1.0.4 Fixed in 1.0.5
> > 
> > References: http://osvdb.org/17458 
> > http://secunia.com/advisories/15784/
> > 
> > - Henri Salo ps. never too late
> > 
> 
> Can you confirm this isn't
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4159

To me this looks like a different vulnerability, because of different affected files and parameters.

CVE-2005-XXXX:
index.php
http://osvdb.org/17458
http://www.securiteam.com/exploits/5HP0N0KG0O.html

CVE-2005-4159:
Memberlist.php
http://osvdb.org/21722
http://archives.neohapsis.com/archives/bugtraq/2005-12/0090.html

- Henri Salo

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.