Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <20140816074717.657911BE00E@smtpvbsrv1.mitre.org>
Date: Sat, 16 Aug 2014 03:47:17 -0400 (EDT)
From: cve-assign@...re.org
To: oss-security@...ts.openwall.com, msalle@...hef.nl, wilcobh@...hef.nl, elbrus@...ian.org
Cc: cve-assign@...re.org
Subject: Re: CVE id request: cacti remote code execution and SQL injection

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> http://svn.cacti.net/viewvc?view=rev&revision=7454
> https://bugzilla.redhat.com/show_bug.cgi?id=1127165

> Since there is no check whether $size is actually a number, only that
> it starts with a number ... it's possible to insert commands by adding
> a ';' followed by any command.

Use CVE-2014-5261 for this issue involving shell metacharacters.


> Incomplete and incorrect input parsing leads to ... SQL injection
> attack scenarios

Use CVE-2014-5262 for the SQL injection.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJT7wwXAAoJEKllVAevmvmszMsH/jCWZKh5R2ZO8T0WC1t/gN5R
OjCyukw70QsOJtj/bYvHedMkKrkmGF3lpqKYV0vh6PZcc8tKiNNOQ1EK0pyqUyA3
fpPJzzb3tBvsr66lTUzicGb33L2ZXUSymbWOszaSDE4grt554KySkAe8dX+jztW7
Xk5aznEc4LBQZKG8TqK3i6bsA75aN8v/m0aXXh9QD1E0lYvR98tfBsGh6unAxZTR
NJPR3ZUTE6VorlBm1ikoPFcmuuGiNM3kPxawm1rFpOa8Zy9WuTlKJkY26eYK8x30
pm/AchyANfDLLwlkKIf/aUncCGKIvhGGo4+GGt2QeaBI8zEhvKVmr9ZeHApE1K0=
=x8CR
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.