Home page logo

oss-sec logo oss-sec mailing list archives

Re: CVE request - Batavi 1.2.1 Fixes Blind SQL Injection vulnerability in boxToReload parameter of ajax.php
From: Ronald van den Blink <oss-security () securityview nl>
Date: Thu, 19 Jan 2012 09:29:15 +0100

On Jan 19, 2012, at 8:40 AM, Ronald van den Blink wrote:

On Jan 18, 2012, at 10:55 PM, Kurt Seifried wrote:

Can you include a link to the code commit(s) that fiix this? Thanks.
Hi Kurt,

This is still a bit of a problem, as our internal svn is still not correctly set up to sync to SF's SVN. What I can 
do however is ask our developers to create a diff of the files which were changed to fix this and post them online?

B.t.w. if someone knows a way to sync two SVN repositories to with each other, please contact me off list.

With kind regards,


Well, that went easier than I thought. In https://sourceforge.net/projects/batavi/files/upgrade/ you can find two files 
(database.1.2-1.2.1.sql and core.1.2-1.2.1.patch) which both contains fixes for the Blind SQL injection. You can find 
them on lines 12833 till 12860. Also a new DB method was introduced on lines 13289 till 13300. Both are in 
core.1.2-1.2.1.patch. I hope that this clarifies it enough?


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]