GForge Input Validation Flaw in 'GroupJoinRequest.class' Lets Remote Users Inject SQL Commands
|
|
SecurityTracker Alert ID: 1021510
|
|
SecurityTracker URL: http://securitytracker.com/id?1021510
|
|
CVE Reference: CVE-2008-2381
(Links to External Site)
|
Date: Jan 4 2009
|
Impact: Disclosure of system information, Disclosure of user information, User access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 4.5, 4.7
|
Description: A vulnerability was reported in GForge. A remote user can inject SQL commands.
The software does not properly validate user-supplied input. A remote user can supply a specially crafted parameter value to execute
SQL commands on the underlying database.
The create() function in 'GroupJoinRequest.class' is affected.
Debian reported this
vulnerability.
The original advisory is available at:
http://security-tracker.debian.net/tracker/CVE-2008-2381
|
Impact: A remote user can execute SQL commands on the underlying database.
|
Solution: The vendor has issued a source code fix, available via SVN.
|
Vendor URL: www.gforge.org/ (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Sat, 3 Jan 2009 19:07:08 -0500
Subject: GForge
|
http://security-tracker.debian.net/tracker/CVE-2008-2381
CVE-2008-2381
|
|
