lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20070123063930.19229.qmail@securityfocus.com>
Date: 23 Jan 2007 06:39:30 -0000
From: michael@...hnet.us
To: bugtraq@...urityfocus.com
Subject: Re: Multiple SQL injections and XSS in FishCart 3.1

I am the principal behind FishCart, discussed in the above advisory.  I found tonight after posting to bugtraq about another reported problem that this previous bug is reported as unpatched.

As best we could determine the post from dcrab was not accurate regarding the SQL injection claims.  The original post at http://www.securityfocus.com/archive/1/397484 shows invalid sql statements, not sql injection.  We found that the URL he had posted was not normal and turned up a coding bug that explained the SQL errors, but there was no SQL injection.  We also had some trouble reproducing some of the XSS errors.  That said, we took the claims seriously and immediately went to work to improve error hardening.

A fix was worked out among the developers and incorporated into the source in mid May 2005.  A version 3.x patch was derived from the source changes and sent to the FishCart mailing list on May 21, 2005 for installed FishCarts.  This post can be seen at http://www.fishcart.org/archives/200505/msg00028.html.  You will need to log in with username 'speak', password 'friend' to see the post.  While we have continued to refine the process, we think it fair that the patch has been available since that date.

Please update your advisory to reflect this information.  If you have any further questions please feel free to contact me at your convenience to verify my identity or for further details on the fixes.  Thank you for your attention to this matter.

   Michael Brennen
   President, FishNet, Inc.
   michael@...hnet.us
   972.669.0041

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ