oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE request for Ushahidi

From: Robbie MacKay <robbie () ushahidi com>
Date: Mon, 8 Oct 2012 11:14:55 +1300
Hi Kurt,
I've realised one of the SQL injections was incorrectly assigned

SQL injection in Check-in API
https://github.com/ushahidi/Ushahidi_Web/commit/68d9916 was credited to
postmodern and assigned CVE-2012-3469
It should have been credited to: Kees Cook and assigned to CVE-2012-3470

Regards,

Robbie

On Fri, Aug 10, 2012 at 5:51 AM, Kurt Seifried <kseifried () redhat com> wrote:


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/01/2012 10:50 PM, Robbie Mackay wrote:

Hi Kurt, I've added info on which researcher discovered the
vulnerability in each commit. Anything other info needed?

Thanks, Robbie Mackay Software Developer, External Projects,
Ushahidi Inc


Ok I split these up by reporter as per CVE guidelines.

***********************

* Multiple SQL injections (Reported by Timothy D. Morgan, Kees
Cook, postmodern )


=====================

https://github.com/ushahidi/Ushahidi_Web/commit/fdb48d1 (identified
by Ushahidi dev team)
https://github.com/ushahidi/Ushahidi_Web/commit/4764792 (identified
by Ushahidi dev team)
https://github.com/ushahidi/Ushahidi_Web/commit/d954093 (identified
by Ushahidi dev team)


Please use CVE-2012-3468 for these issues

=====================

https://github.com/ushahidi/Ushahidi_Web/commit/6f6a919
(postmodern)
https://github.com/ushahidi/Ushahidi_Web/commit/68d9916
(postmodern)
https://github.com/ushahidi/Ushahidi_Web/commit/e0e2b66
(postmodern)
https://github.com/ushahidi/Ushahidi_Web/commit/a11d43c
(postmodern)


Please use CVE-2012-3469 for these issues

=====================

https://github.com/ushahidi/Ushahidi_Web/commit/3301e48 (Kees
Cook)


Please use CVE-2012-3470 for these issues

=====================

https://github.com/ushahidi/Ushahidi_Web/commit/3f14fa0 (Timothy
D. Morgan)


Please use CVE-2012-3471 for these issues

**************************

* Missing authentication on comments, reports, email API calls
(Reported by Kees Cook, Dennison Williams)



=====================

https://github.com/ushahidi/Ushahidi_Web/commit/4c24325 (Dennison
Williams)


Please use CVE-2012-3472 for these issues

=====================

https://github.com/ushahidi/Ushahidi_Web/commit/f67f4ad (Kees
Cook) https://github.com/ushahidi/Ushahidi_Web/commit/13ca6f4 (Kees
Cook)


Please use CVE-2012-3473 for these issues

**************************

* User details exposed in comments API (Discovered by internal dev
team) https://github.com/ushahidi/Ushahidi_Web/commit/529f353


Please use CVE-2012-3474 for these issues

**************************

* Admin user hijacking through the installer (Reported by Wil
Clouser) https://github.com/ushahidi/Ushahidi_Web/commit/7892559
https://github.com/ushahidi/Ushahidi_Web/commit/fcdad03


Please use CVE-2012-3475 for these issues

**************************

* Stored XSS on member profile pages (Reported by Amy K. Farrell)
https://github.com/ushahidi/Ushahidi_Web/commit/00eae4f


Please use CVE-2012-3476 for these issues

- --
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJQI/iPAAoJEBYNRVNeJnmTvAsQAIuh48sIqfM2/07hWmp0uHAX
azRSwwHA863udTc9Mkk7GAKwBToZvIzOuITGhfZFIAPIs8wnzAYLNn8fjy2iKfFd
7E7ihEmK1EVeYdwa1KAULaJkyqfiiK0ThMZ9M+oV4KStyqR2C0EPtSXGt+qBeFPE
fwVqv/FIyadvVic/y/GIKubF29urV8ji7OtYxNQoT2Zll7Kr9J2GUNUdykrK5lZz
ibYpgfZgpNkhHkNy59GYkPtlZMpmWqIMTHhlEMEYGvqakLfU9tO8wL4cYq3oSL9I
ihHCeSW1pWzcjjw2CKcfzc7ZCbRd/8PucVOCcIZyaTHcHSG3/A34YWWzLdRrFsix
ivZoRJv/zRCL4Jc2Fr+U24iKly4wwGpQ/pyOxA7o/aOy1r4Mf9M7maR40AGSqB8z
WQfkzfJZ6b5FuPtWssLHl2LdfRR1/6y/uOzi9LVtzp4vEbi3JZLp4UxNQ8mJOJLe
RSNwBOehO9pYHzOppmYsecaNiarpdLKDXzNvHVMl00BUzm0QaHV/3yQAxek/cLPK
0b46CYOl85Cd6Ff1OQ6fUL1IDp7Sb2/25/eS32z1b5rcvulfkFXTdL3EoR03H09q
PgS9XSdnjZK/4O1kZpXGryWIe1aq6IOTHbjqX8oWo7+I+tgeWsGuZdlLRE99Gunq
0krB19ynPqhtYZNe8jcp
=CTk4
-----END PGP SIGNATURE-----





-- 
Robbie Mackay

Software Developer, External Projects
Ushahidi Inc
m: +64 27 576 2243
e: robbie () ushahidi com
skype: robbie.mackay
Previous By Date Next
Previous By Thread Next

Current thread: