oss-sec mailing list archives
Re: CVE request for Ushahidi
From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 09 Aug 2012 11:51:11 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/01/2012 10:50 PM, Robbie Mackay wrote:
Hi Kurt, I've added info on which researcher discovered the vulnerability in each commit. Anything other info needed? Thanks, Robbie Mackay Software Developer, External Projects, Ushahidi Inc
Ok I split these up by reporter as per CVE guidelines. ***********************
* Multiple SQL injections (Reported by Timothy D. Morgan, Kees Cook, postmodern )
=====================
https://github.com/ushahidi/Ushahidi_Web/commit/fdb48d1 (identified by Ushahidi dev team) https://github.com/ushahidi/Ushahidi_Web/commit/4764792 (identified by Ushahidi dev team) https://github.com/ushahidi/Ushahidi_Web/commit/d954093 (identified by Ushahidi dev team)
Please use CVE-2012-3468 for these issues =====================
https://github.com/ushahidi/Ushahidi_Web/commit/6f6a919 (postmodern) https://github.com/ushahidi/Ushahidi_Web/commit/68d9916 (postmodern) https://github.com/ushahidi/Ushahidi_Web/commit/e0e2b66 (postmodern) https://github.com/ushahidi/Ushahidi_Web/commit/a11d43c (postmodern)
Please use CVE-2012-3469 for these issues =====================
https://github.com/ushahidi/Ushahidi_Web/commit/3301e48 (Kees Cook)
Please use CVE-2012-3470 for these issues =====================
https://github.com/ushahidi/Ushahidi_Web/commit/3f14fa0 (Timothy D. Morgan)
Please use CVE-2012-3471 for these issues **************************
* Missing authentication on comments, reports, email API calls (Reported by Kees Cook, Dennison Williams)
=====================
https://github.com/ushahidi/Ushahidi_Web/commit/4c24325 (Dennison Williams)
Please use CVE-2012-3472 for these issues =====================
https://github.com/ushahidi/Ushahidi_Web/commit/f67f4ad (Kees Cook) https://github.com/ushahidi/Ushahidi_Web/commit/13ca6f4 (Kees Cook)
Please use CVE-2012-3473 for these issues **************************
* User details exposed in comments API (Discovered by internal dev team) https://github.com/ushahidi/Ushahidi_Web/commit/529f353
Please use CVE-2012-3474 for these issues **************************
* Admin user hijacking through the installer (Reported by Wil Clouser) https://github.com/ushahidi/Ushahidi_Web/commit/7892559 https://github.com/ushahidi/Ushahidi_Web/commit/fcdad03
Please use CVE-2012-3475 for these issues **************************
* Stored XSS on member profile pages (Reported by Amy K. Farrell) https://github.com/ushahidi/Ushahidi_Web/commit/00eae4f
Please use CVE-2012-3476 for these issues - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJQI/iPAAoJEBYNRVNeJnmTvAsQAIuh48sIqfM2/07hWmp0uHAX azRSwwHA863udTc9Mkk7GAKwBToZvIzOuITGhfZFIAPIs8wnzAYLNn8fjy2iKfFd 7E7ihEmK1EVeYdwa1KAULaJkyqfiiK0ThMZ9M+oV4KStyqR2C0EPtSXGt+qBeFPE fwVqv/FIyadvVic/y/GIKubF29urV8ji7OtYxNQoT2Zll7Kr9J2GUNUdykrK5lZz ibYpgfZgpNkhHkNy59GYkPtlZMpmWqIMTHhlEMEYGvqakLfU9tO8wL4cYq3oSL9I ihHCeSW1pWzcjjw2CKcfzc7ZCbRd/8PucVOCcIZyaTHcHSG3/A34YWWzLdRrFsix ivZoRJv/zRCL4Jc2Fr+U24iKly4wwGpQ/pyOxA7o/aOy1r4Mf9M7maR40AGSqB8z WQfkzfJZ6b5FuPtWssLHl2LdfRR1/6y/uOzi9LVtzp4vEbi3JZLp4UxNQ8mJOJLe RSNwBOehO9pYHzOppmYsecaNiarpdLKDXzNvHVMl00BUzm0QaHV/3yQAxek/cLPK 0b46CYOl85Cd6Ff1OQ6fUL1IDp7Sb2/25/eS32z1b5rcvulfkFXTdL3EoR03H09q PgS9XSdnjZK/4O1kZpXGryWIe1aq6IOTHbjqX8oWo7+I+tgeWsGuZdlLRE99Gunq 0krB19ynPqhtYZNe8jcp =CTk4 -----END PGP SIGNATURE-----
Current thread:
- CVE request for Ushahidi Robbie MacKay (Jul 31)
- Re: CVE request for Ushahidi Kurt Seifried (Jul 31)
- Re: CVE request for Ushahidi Robbie Mackay (Aug 01)
- Re: CVE request for Ushahidi Tim (Aug 09)
- Re: CVE request for Ushahidi Kurt Seifried (Aug 09)
- Re: CVE request for Ushahidi Robbie Mackay (Aug 01)
- Re: CVE request for Ushahidi Kurt Seifried (Jul 31)