Re: CVE request: piwigo before 2.6.3 sql injection

[Hanno Böck <hanno () hboeck de>]

On Tue, 24 Jun 2014 01:51:33 -0400 (EDT)
cve-assign () mitre org wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> > The Piwigo image gallery contains an sql injection before versions
> > 2.6.3 and 2.7.0_beta2
> > http://piwigo.org/bugs/view.php?id=3089
> > http://piwigo.org/dev/changeset/28678
> > http://piwigo.org/forum/viewtopic.php?id=24009
>
> Are you sure about this? Changeset 28678 doesn't seem to have been
> implemented in the
> http://piwigo.org/download/dlcounter.php?code=26xto263 file that's
> recommended in the 2.6.3 Release Notes. Also,
> http://piwigo.org/bugs/changelog_page.php suggests that 3089 was fixed
> only in 2.7.0beta2, not in 2.6.3.

You are probably right and I'm wrong.

I also don't have any further info than the ones publicly available on
their webpage.

> http://piwigo.org/releases/2.6.3 says "[security] security failure
> reported and fixed by Christopher Chrapka, ojezu.org." Is this instead
> perhaps an unspecified vulnerability that is unrelated to the fix for
> bug 3089?

May very well be. So the sqj injection only affects the beta and we
have another "unclear" vulnerability and need two CVEs?

-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno () hboeck de
GPG: BBB51E42

Attachment: signature.asc
Description: