oss-sec mailing list archives

Re: CVE-request: Wikidforum 2.10 multiple XSS and SQL-injection vulnerabilities SSCHADV2012-005

From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 12 Apr 2012 12:55:01 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/12/2012 01:49 AM, Henri Salo wrote:

Hello,

These three 2012 issues are without CVE-identifiers. XSS
vulnerabilities can be joined to one CVE if I am correct.

Affected version: 2.10 Advisory ID: SSCHADV2012-005 Bugtraq:
http://seclists.org/bugtraq/2012/Mar/45

Vulnerabilities: http://osvdb.org/show/osvdb/80838 Wikidforum
Search Field XSS http://osvdb.org/show/osvdb/80839 Wikidforum
Advanced Search Multiple Field XSS 
http://osvdb.org/show/osvdb/80840 Wikidforum Advanced Search
Multiple Field SQL Injection


Please use CVE-2012-2099 for these XSS issues.

Also I couldn't really confirm the SQL injections so not assigning a
CVE, if you can find confirmation I'll assign a CVE.

Advisory URLs: 
http://www.darksecurity.de/advisories/2012/SSCHADV2012-005.txt 
http://www.darksecurity.de/index.php?/202-SSCHADV2012-005-Wikidforum-2.10-Multiple-security-vulnerabilities.html

 I also contacted vendor just to be sure:
http://www.wikidforum.com/forum/forum-software_29/wikidforum-support_31/sschadv2012-005-unfixed-xss-and-sql-injection-security-vulnerabilities_188.html

 - Henri Salo




- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPhyUEAAoJEBYNRVNeJnmTzvcP/2W/Flev8Z85jhhNRyPqkBlP
h3fVBEqE1WekN91HoQoU/EZnoRhKiMhcxtZCMy2L19nmUWZgFW+J5D10ioZ+TQJu
I9g4/cx9j1nkU46h2Y9nWB6VUu9yb9LD+ZCRPKD1IStDcXpSrNNouWJewQvnHF7K
sgc5NP60olPNfJ2DkbOlh0Vl/41o/BweeZ7DymU8pRW8bUk+fgy1Z5W6wmQcI5qm
LJzQZPkZM0m5x8G6t15Hjzcx4OG8cmQ84WyH08FIgZBn9B8tsz6bfFruCmCwaJH+
Ul9iqUS7ye5dha3+qFeFDDcnn20mG0aZwuP6WDD270MKqQ+ZkhyO+xKcehC2+Ua+
ISJKfgk6HE+8apgM2/vPtqi+MNMgYZGdFhy3PLmTkPXJ5c278a5b0r8j4LO0dOmP
s0sliL+pPVh/6O69vr/+lpglkPfaQN/ikoGMwavIEUtI7d5U3KmyJENO9G6iEO2Z
HLU+rf90DxY41MV1pHm23KkImLoz6aEnpUtKTV9nxJ8qoMttJy+OYALUEWG98N7s
E8U52Ja5YWW6ecDE7/Jc/nFruCixZSzfzlXML7tXpfLoSMMivEGVffNgut5jgw+M
uXwgUTgrrCRTjScQXOlvvOgjp2JX2hTPebztXu7kA8SKDOW9LLFNjnjzo87Yr/2s
Uz1yRzZmvGYs1m8olEwM
=eATf
-----END PGP SIGNATURE-----

Current thread:

CVE-request: Wikidforum 2.10 multiple XSS and SQL-injection vulnerabilities SSCHADV2012-005 Henri Salo (Apr 12)
- Re: CVE-request: Wikidforum 2.10 multiple XSS and SQL-injection vulnerabilities SSCHADV2012-005 Kurt Seifried (Apr 12)
  - Re: CVE-request: Wikidforum 2.10 multiple XSS and SQL-injection vulnerabilities SSCHADV2012-005 Henri Salo (Apr 13)
    - Re: CVE-request: Wikidforum 2.10 multiple XSS and SQL-injection vulnerabilities SSCHADV2012-005 Kurt Seifried (Apr 13)
    - Re: CVE-request: Wikidforum 2.10 multiple XSS and SQL-injection vulnerabilities SSCHADV2012-005 Henri Salo (Apr 15)