[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE Request -- Cacti v0.8.7 -- three security
From:       "Steven M. Christey" <coley () linus ! mitre ! org>
Date:       2010-05-27 19:41:35
Message-ID: Pine.GSO.4.64.1005271535370.6392 () faron ! mitre ! org
[Download RAW message or body]


On Wed, 26 May 2010, Josh Bressers wrote:

>>      [A], MOPS-2010-023: Cacti Graph Viewer SQL Injection Vulnerability
>>      http://php-security.org/2010/05/13/mops-2010-023-cacti-graph-viewer-sql-injection-vulnerability/index.html
>>      http://www.vupen.com/english/advisories/2010/1204
>>
>>      Credit: The vulnerability was discovered by Stefan Esser as part of
>>      the SQL Injection Marathon.
>>
>>      Upstream changeset:
>>      http://svn.cacti.net/viewvc?view=rev&revision=5920
>
> Steve, you've been handling the MOPS stuff. I'm going to leave this one
> alone unless you tell me otherwise (I don't want to dupe).

Use CVE-2010-2092, to be filled in later today (with a bunch of other MOPS 
issues).


>>      [C], SQL injection and shell escaping issues reported by Bonsai
>>      Information Security (http://www.bonsai-sec.com)

Josh assigned CVE-2010-1645 for the OS command issue.

The SQL injection that Jan is referring to in the original request is most 
likely CVE-2010-1431, which was disclosed by Bonsai back in April.

- Steve
[prev in list] [next in list] [prev in thread] [next in thread]