oss-sec mailing list archives
Re: CVE request: piwigo before 2.6.3 sql injection
From: Hanno Böck <hanno () hboeck de>
Date: Tue, 24 Jun 2014 12:10:54 +0200
On Tue, 24 Jun 2014 01:51:33 -0400 (EDT) cve-assign () mitre org wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1The Piwigo image gallery contains an sql injection before versions 2.6.3 and 2.7.0_beta2 http://piwigo.org/bugs/view.php?id=3089 http://piwigo.org/dev/changeset/28678 http://piwigo.org/forum/viewtopic.php?id=24009Are you sure about this? Changeset 28678 doesn't seem to have been implemented in the http://piwigo.org/download/dlcounter.php?code=26xto263 file that's recommended in the 2.6.3 Release Notes. Also, http://piwigo.org/bugs/changelog_page.php suggests that 3089 was fixed only in 2.7.0beta2, not in 2.6.3.
You are probably right and I'm wrong. I also don't have any further info than the ones publicly available on their webpage.
http://piwigo.org/releases/2.6.3 says "[security] security failure reported and fixed by Christopher Chrapka, ojezu.org." Is this instead perhaps an unspecified vulnerability that is unrelated to the fix for bug 3089?
May very well be. So the sqj injection only affects the beta and we have another "unclear" vulnerability and need two CVEs? -- Hanno Böck http://hboeck.de/ mail/jabber: hanno () hboeck de GPG: BBB51E42
Attachment:
signature.asc
Description:
Current thread:
- CVE request: piwigo before 2.6.3 sql injection Hanno Böck (Jun 23)
- Re: CVE request: piwigo before 2.6.3 sql injection cve-assign (Jun 23)
- Re: CVE request: piwigo before 2.6.3 sql injection Hanno Böck (Jun 24)
- Re: CVE request: piwigo before 2.6.3 sql injection cve-assign (Jun 24)
- Re: CVE request: piwigo before 2.6.3 sql injection cve-assign (Jun 25)
- Re: CVE request: piwigo before 2.6.3 sql injection Hanno Böck (Jun 24)
- Re: CVE request: piwigo before 2.6.3 sql injection cve-assign (Jun 23)