oss-sec mailing list archives

Re: CVE-request for piwigo issues (second request)

From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 18 Oct 2012 01:35:26 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/06/2012 01:34 AM, Henri Salo wrote:

Hello,

Old CVE-request did not get filled. At least the CVE is not listed
in Mitre's list, OSVDB, Secunia or Debian security-tracker. Request
done in: http://www.openwall.com/lists/oss-security/2010/12/07/1

""" piwigo: a1) CSRF a2) SQL injection a3) stored XSS 
http://secunia.com/advisories/41365/ 
http://piwigo.org/releases/2.1.3 
http://www.exploit-db.com/exploits/14973/ (the issues mentioned by
the exploit-db entry appear to be the same that were fixed in
2.1.3) b) search.php SQL injection 
http://secunia.com/advisories/38305/ 
http://piwigo.org/releases/2.0.8 c) CSRF in the admin panel: 
http://secunia.com/advisories/37681/ 
http://www.exploit-db.com/exploits/10417 (the exploit-db entry
details two other issues, but are "admin-only" -- feel free to
assign or ignore those.) """

SA41365: 2010 SA38305: 2010 SA37681: 2009

I am happy to provide more information if needed (or in clearner
format). Please double-verify that these haven't been assigned
before you assign IDs, please.


Can you add links to the code commits fixing this stuff? Thanks.

- Henri Salo



- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBAgAGBQJQf7E+AAoJEBYNRVNeJnmTUOgP/jp2QFgekXRk7kLOYm2Ky2C0
HDSyhc3H8GRb3xsmsAR4aLwzDTHuZNKkDF2OI5hZvwbnuF9wYOr2xxzYMy2SqFpj
FZfAyx+0GnG62MhpbvQoPznK2ACXGpnCOXpKv+xi+r8VHPTcFTwh0Eg0FTig7jO1
fR/ttLiqnWQwHYpHXM1HmERu2sEtanCj33c1wFb/FHp/mDGTxPtth0KkSvC0opJ6
sYM+ol/dy7uXVk5v/he8zrdUO3w6inYbVmJZVAkfi7p33DWMisqUy8LnylEal8eg
Y/Q8riRxpNM6N/M58fd+dwLI+w5873qVjgQBBdANHhGcWY7V6gTamFZpezCXoaQg
mNfVKKwmQvUcwtNcTQHsVITmhRxEsfguGAZjM4WJa6zs7NaGA1MSUn6wO+DaCCdl
xjZvp/UYEbk1y5odKYrbeeq0JEtGHLxUiv46KpzHSInQEPSSSfE7c/hc6Uyu8N6+
oKClWok0UB3E1bH1lihQFpVl8tkAsr3nQqd/abaTsbHCfADCIWIuU2ehxevGV7qh
SzudZqbNT8GpJ9qvwWz6vuxt0+EgquLQ29ZH2MtigYVjF35ZAqVJ/+UidnxMhR3r
dXZdA1Mbucje3L+2h2XNQjgeJ/x64NJBTGGf09h4QR+Seg5/WyEI94lMM+zEZ89z
u6ubd2PSXXGmPt/0/VHF
=yJ2u
-----END PGP SIGNATURE-----

Current thread:

CVE-request for piwigo issues (second request) Henri Salo (Oct 06)
- Re: CVE-request for piwigo issues (second request) Kurt Seifried (Oct 18)