Ticket #4322 (closed defect: fixed)

Opened 1 year ago

Last modified 5 months ago

Sql injection blind fishing exploit

Reported by: DrHallows Assigned to: anonymous
Priority: highest omg bbq Milestone: 2.0.11
Component: Security Version: 2.1.3
Severity: critical Keywords: security, bug
Cc:

Description

BIG security bug in "admin-ajax.php" sql injection blind fishing exploit More info on: http://www.waraxe.us/ftopict-1780.html#7560

Attachments

test.php (11.3 kB) - added by DrHallows on 05/23/07 19:13:18.

Change History

05/23/07 19:13:18 changed by DrHallows

  • attachment test.php added.

05/23/07 19:18:51 changed by markjaquith

  • keywords changed from securtiy, bug to security, bug.
  • status changed from new to closed.
  • resolution set to fixed.
  • milestone changed from 2.2.1 to 2.0.11.

Fixed for 2.2, 2.0.11 (soon to be released) and in trunk for 2.3

[5440]

[5441]

[5442]

(follow-up: ↓ 3 ) 06/10/07 15:45:28 changed by hvdkamer

  • status changed from closed to reopened.
  • resolution deleted.

According to this page:

"None of these are safe to use, except the latest in the 2.0 or 2.1 series, which are both actively maintained."

However version 2.1.3 is still not patched for this bug?

(in reply to: ↑ 2 ) 06/10/07 21:14:43 changed by westi

  • status changed from reopened to closed.
  • resolution set to fixed.

Replying to hvdkamer:

According to this page: "None of these are safe to use, except the latest in the 2.0 or 2.1 series, which are both actively maintained." However version 2.1.3 is still not patched for this bug?

2.1.3 will not be patched.

The only security supported versions are 2.0.x and 2.2.x

This fix is in 2.2.1 which has just gone RC.

01/29/08 20:39:40 changed by hendry

http://security-tracker.debian.net/tracker/CVE-2007-2821