lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sun, 10 Jun 2007 20:53:41 +0100 From: Tim Brown <timb@...-dimension.org.uk> To: full-disclosure@...ts.grok.org.uk, news@...uriteam.com, bugtraq@...urityfocus.com Subject: Serious holes affecting JFFNMS As a result of a short security audit of JFFNMS, a number of security holes were found, even from the perspective of a non authenticated user. The holes included authentication bypass via SQL injection. Javascript injection and a serious case of information disclosure. After liasing with the developers, the holes have been resolved. Attached are the advisory and patch relating to these flaws. Tim -- Tim Brown <mailto:timb@...-dimension.org.uk> <http://www.nth-dimension.org.uk/> View attachment "jffnms-0.8.3-security-v2.patch" of type "text/x-diff" (2621 bytes) Download attachment "NDSA20070524.txt.asc" of type "application/pgp-keys" (3666 bytes) Download attachment "signature.asc " of type "application/pgp-signature" (190 bytes)
Powered by blists - more mailing lists