'Re: [oss-security] CVE request for Ushahidi'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE request for Ushahidi
From:       Kurt Seifried <kseifried () redhat ! com>
Date:       2012-07-31 18:07:53
Message-ID: 50181EF9.20900 () redhat ! com
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/30/2012 06:22 PM, Robbie MacKay wrote:
> The Ushahidi team have been notified of the following security 
> vulnerabilities thanks to volunteers from OWASP Portland. These
> will be fixed in the upcoming 2.5 release. Could you please
> allocate CVEs for the following issues?
> 
> * Multiple SQL injections (Reported by Timothy D. Morgan, Kees
> Cook, postmodern ) 
> https://github.com/ushahidi/Ushahidi_Web/commit/fdb48d1 
> https://github.com/ushahidi/Ushahidi_Web/commit/6f6a919 
> https://github.com/ushahidi/Ushahidi_Web/commit/4764792 
> https://github.com/ushahidi/Ushahidi_Web/commit/d954093 
> https://github.com/ushahidi/Ushahidi_Web/commit/3301e48 
> https://github.com/ushahidi/Ushahidi_Web/commit/68d9916 
> https://github.com/ushahidi/Ushahidi_Web/commit/e0e2b66 
> https://github.com/ushahidi/Ushahidi_Web/commit/a11d43c 
> https://github.com/ushahidi/Ushahidi_Web/commit/3f14fa0
> 
> * Missing authentication on comments, reports, email API calls 
> (Reported by Kees Cook, Dennison Williams) 
> https://github.com/ushahidi/Ushahidi_Web/commit/4c24325 
> https://github.com/ushahidi/Ushahidi_Web/commit/f67f4ad
> 
> * User details exposed in comments API (Discovered by internal dev
> team) https://github.com/ushahidi/Ushahidi_Web/commit/529f353
> 
> * Admin user hijacking through the installer (Reported by Wil
> Clouser) https://github.com/ushahidi/Ushahidi_Web/commit/7892559 
> https://github.com/ushahidi/Ushahidi_Web/commit/fcdad03
> 
> * Stored XSS on member profile pages (Reported by Amy K. Farrell) 
> https://github.com/ushahidi/Ushahidi_Web/commit/00eae4f
> 
> Thanks in advance,
> 
> Robbie Mackay

You'll need to list which commits were found by which security
reporter (e.g. which ones are Reported by Timothy D. Morgan, Kees
Cook, postmodern). Thanks.

> 
> Software Developer, External Projects Ushahidi Inc e:
> robbie@ushahidi.com skype: robbie.mackay
> 


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJQGB75AAoJEBYNRVNeJnmTXOgP/0+SNuFY4FsvllIvTlYczDfC
P0woU7Seudh0usvCuzbIoWvDCRWjtI0A5hDzXhnRexEch5VWLQL39Z+Aqf/zLLZY
8S+brvQkvLL3UYi83+K9Rsr47srx6NXGM3zTwHtjvF3o52IVnAXTBQOxjdf6XIN5
GYNcEvqzpRWmTPumxrb7Z5ub52RA3JEOzu9vjxinV/HuxovgpB593s4Ze1I2TdZ5
3FsEiWElZK5TtrFIgR+bYcpzil0XWOjMy67xnxRqnSzxywKSsR65o2eNJQeS+Sj6
ixwDI9TW/7auv99kwIY+kBjrSOSkudxRjPPIp59lwxFADR7PUE5/TDtNAOTbywF0
PGRHD/5SsBFCFbltc8Qnhjp0luZAHbA0KMg2xe4ikwkvONUu1m69f176TGk8t2xI
9lxFy1jmJiwL8ECP4BP0ZaC/6QQQYP+wzLTqjg9D7HHu7YvEh/IjkbIp1t7/STdl
rHN6fZ/JZEmO57BZbyuQvzhFqKPMpFjCayrh2HwTmIidqAn0YinOsia4zM6pwmVm
H9ZjdDpOOiMAGyY0HLFTigAiHtYVbje4YjeegrJZJaoCid0zWkLgiQmXBP5GYjv3
hAvVUHn8rh3EwKy3F4Lgo/x3mmDGHPSL7lLwmNIoIk+/PBtQlGbcNcnVDfgaHieh
zkMRgNUcUrFcvwwwb1wi
=jcgN
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic