| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 8 Dec 2011 11:36:13 +0000 From: James Condron <james@...o-internet.org.uk> To: ddivulnalert <ddivulnalert@...frontline.com> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: DDIVRT-2011-38 KnowledgeTree login.php Blind SQL Injection Well kids, There is a next to useless disclosure. Its is also customary to show some kind f timeline of your correspondence with the vendor. I swear to $deity we used to have standards here, On 7 Dec 2011, at 16:51, ddivulnalert wrote: > Title > ----- > DDIVRT-2011-38 KnowledgeTree login.php Blind SQL Injection > > Severity > -------- > High > > Date Discovered > --------------- > November 18, 2011 > > Discovered By > ------------- > Digital Defense, Inc. Vulnerability Research Team > Credit: sxkeebler and r@...$ > > Vulnerability Description > ------------------------- > The KnowledgeTree login.php login page is vulnerable to a blind SQL > injection vulnerability within the username field. An attacker can > leverage this flaw to execute arbitrary SQL commands and extract > sensitive information from the backend database using standard blind > SQL exploitation techniques. Additionally, an attacker may be able to > leverage this flaw to compromise the database server host OS. > > Solution Description > -------------------- > KnowledgeTree has released a patch which addresses the issue. The new > source is available at: > http://wiki.knowledgetree.org/Security_advisory:_KnowledgeTree_login.php_Blind_SQL_Injection > > Tested Systems / Software > ------------------------- > KnowledgeTree Version 3.7.0.2 (community edition) > > Vendor Contact > -------------- > Vendor Name: KnowledgeTree, Inc. > Vendor Website: http://www.knowledgetree.com/ > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists