oss-sec mailing list archives

Re: Jara 1.6 SQL injection and XSS

From: Kurt Seifried <kseifried () redhat com>
Date: Mon, 31 Oct 2011 10:01:39 -0600

On 10/30/2011 04:48 AM, Henri Salo wrote:

Can I get CVE-identifiers for these issues:

SQL injection: http://seclists.org/fulldisclosure/2011/Oct/767 (http://seclists.org/bugtraq/2011/Oct/201)
Bug report to vendor: https://sourceforge.net/tracker/?func=detail&aid=3428075&group_id=294500&atid=1243901

XSS: http://packetstormsecurity.org/files/106114/jara-sql.txt
Bug report to vendor: https://sourceforge.net/tracker/?func=detail&aid=3430384&group_id=294500&atid=1243901

I assume here you are referring to the comment:

"http://localhost/jara/search.php?term=<script>alert('Faille XSS')</script>"

No vendor reply. No fix.

Best regards,
Henri Salo


-Kurt

-- 

-Kurt Seifried / Red Hat Security Response Team

Current thread:

Jara 1.6 SQL injection and XSS Henri Salo (Oct 30)
- Re: Jara 1.6 SQL injection and XSS Kurt Seifried (Oct 31)
  - Re: Jara 1.6 SQL injection and XSS Henri Salo (Oct 31)
  - Re: Jara 1.6 SQL injection and XSS Kurt Seifried (Oct 31)