Re: CVE-request: SMF index.php msg parameter SQL-injection (2005)

[Henri Salo <henri () nerv fi>]

On Fri, Sep 14, 2012 at 11:29:07AM -0600, Kurt Seifried wrote:
> On 09/14/2012 06:40 AM, Henri Salo wrote:
> > Hello list,
> >
> > Old SQL-injection security issue in SMF does not have
> > CVE-identifier. Could you please assign one from year 2005,
> > thanks.
> >
> > Affected versions: <= 1.0.4 Fixed in 1.0.5
> >
> > References: http://osvdb.org/17458 
> > http://secunia.com/advisories/15784/
> >
> > - Henri Salo ps. never too late
>
> Can you confirm this isn't
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4159

To me this looks like a different vulnerability, because of different affected files and parameters.

CVE-2005-XXXX:
index.php
http://osvdb.org/17458
http://www.securiteam.com/exploits/5HP0N0KG0O.html

CVE-2005-4159:
Memberlist.php
http://osvdb.org/21722
http://archives.neohapsis.com/archives/bugtraq/2005-12/0090.html

- Henri Salo