[VIM] Recent GForge SQL Injection Vulnerabilities
George A. Theall
theall at tenablesecurity.com
Sat Oct 6 03:01:21 UTC 2007
In case anyone's interested, it looks like Bugtraq 25585 / CVE-2007-3913
on one hand and Bugtraq 25665 / CVE-2007-4966 on the other refer to the
same issue disclosed by Sumit I. Siddharth as part of Portcullis
Security Advisory 07-014.
The first pair of ids refer to Debian's DSA 1369-1 advisory, which in
turn credits Sumit I. Siddharth. Their patch
(gforge_3.1-31sarge2.diff.gz) is fairly large, but it does fix a SQL
injection issue in editprofile.php involving the variable $skill_delete.
And the GForge developers have committed a somewhat different fix for
the issue on September 6th, as shown here:
http://lists.gforge.org/pipermail/gforge-commits/2007-September/000537.html
It references CVE-2007-3913.
Thoughts?
George
--
theall at tenablesecurity.com
More information about the VIM
mailing list