lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <68cbfab10508170807115436c1@mail.gmail.com>
Date: Wed Aug 17 16:07:53 2005
From: h4cky0u.org at gmail.com (h4cky0u)
Subject: phpWebSite 0.10.1 Full SQL Injection

Hi Kevin,

As you can see the whole issue was found and researched by a
member(matrix_kller) at the h4cky0u.org site, i was told that the
vendors had been notified and that he had never heard back from them.
If that is not true then i apologise on his behalf. Anyways i would be
looking forward for a more secure release of your script. Thanks.

On 8/17/05, Kevin Wilcox <kevin@....appstate.edu> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> h4cky0u wrote:
> 
> <snip details>
> 
> > VENDOR STATUS:
> > ===============
> > The vendors were contacted but no response received.
> 
> As one of the core developers I would like to say two things.
> 
> First - thank you for finding and reporting this bug. We have yet to be
> able to do anything useful with it, i.e., select from or insert into any
> db tables, but it is definitely a bug that needs patching and that you
> were able to find it and report it is the beauty of OSS.
> 
> Secondly - this bug was *never* reported directly to the phpWebsite
> development team. It was posted (publicly) to the bug list on
> sourceforge but, despite phone/fax numbers, mailing addresses and email
> addresses being readily available (one click away on
> http://phpwebsite.appstate.edu, the homepage of the project), no direct
> contact was ever attempted with the core development team.
> 
> A minor release, 0.10.2, is to be released today which incorporates this
> and other bug fixes.
> 
> Kevin Wilcox
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (GNU/Linux)
> 
> iD8DBQFDA0Nt7XWNuvsOTiYRAkeDAKC5derCJqcTTgHLkjVn6a8xN/EVKgCgwETz
> ZPi8nxxQMeuj/hbkLRNEoG4=
> =W2hD
> -----END PGP SIGNATURE-----
> 


-- 
http://www.h4cky0u.org
(In)Security at its best...

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ