| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <alpine.LNX.2.00.1104052005160.3407@forced.attrition.org> Date: Tue, 5 Apr 2011 20:08:45 -0500 (CDT) From: security curmudgeon <jericho@...rition.org> To: Soporte CERT <soporte@...t.unlp.edu.ar> Cc: bugtraq@...urityfocus.com Subject: Re: Multiple vulnerabilities in chCounter <= 3.1.3 : Multiple vulnerabilities were found in web application chCounter <= 3.1.3. : : Author: : - Matias Fontanini(mfontanini@...t.unlp.edu.ar). : : Requirements: : - Downloads must be enabled(this is not default). : - magic_quotes off. : - Access to administration site That is a lot of prerequisites.. : =SQLInjection= : Location: administration/index.php?cat=downloads&edit= : Affected parameters: anzahl : Method: POST : Severity: High : Description: When accessing : administration/index.php?cat=downloads&edit=VALID_ID : and using a valid download id, an attacker is able to manipulate the : "anzahl" parameter to perform queries which only involve returning an integer. : The query output will be sent back to the client in the "anzahl" text input. : Exploit: An attacker could perform repeated crafted requests to retrieve : any database records for which the user has access. "retrieve any database record for which the user has access" This does not sound like it is crossing any privilege boundaries then. Can you elaborate on how this is a vulnerability versus a clever / unintended method for accessing the information? Could you then justify giving this a "High" severity, especially after the requirements you list?
Powered by blists - more mailing lists