oss-sec mailing list archives
Re: CVE-request: phxEventManager search.php search_terms Parameter SQL Injection
From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 06 Mar 2012 12:38:49 -0700
On 03/06/2012 12:06 AM, Henri Salo wrote:
Can we assign 2012 CVE-identifier for this vulnerability? http://www.osvdb.org/show/osvdb/79738 "phxEventManager contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the search.php script not properly sanitizing user-supplied input to the 'search_terms' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data." Original report: http://seclists.org/fulldisclosure/2012/Mar/4 Vendor report: http://sourceforge.net/tracker/?func=detail&atid=697109&aid=3496086&group_id=123602 - Henri Salo
Please use CVE-2012-1124 for this issue. -- Kurt Seifried Red Hat Security Response Team (SRT)
Current thread:
- CVE-request: phxEventManager search.php search_terms Parameter SQL Injection Henri Salo (Mar 05)
- Re: CVE-request: phxEventManager search.php search_terms Parameter SQL Injection Kurt Seifried (Mar 06)