[freeside-users] Fwd: Freeside SelfService CGI|API 2.3.3 - Multiple Vulnerabilities
Jeff Finucane
jeff at cmh.net
Thu Jul 5 21:59:34 PDT 2012
On Thu, Jul 05, 2012 at 03:32:48PM -0700, Ivan Kohler <ivan at freeside.biz> wrote:
+----------
| Looking over the advisory, 1.1 seems the most potentially troubling (SQL
| injection via selfservice.cgi). I've tried the "proof of concept" and
| looked over the code in question, and I'm having a hard time seeing an
| actual problem here so far.
|
| svcnum is searched for using a placeholder so the first "proof of
| concept" URL doesn't run any "injected" SQL, and the second PoC URL is
| even harder see any sense in: action is explicitly checked against a
| list of allowable values.
|
| At first look, I think this section of the advisory may be in error and
| there is no real SQL injection issue, but I will continue to look
| carefully before stating that definitively. More eyes / clarification
| is certainly welcome.
+----------
I looked at it for about an hour this morning as well and failed to see
a problem. I did not look specifically at the 2.3.3 code, but HEAD.
I too was not ready to definitively say there was no problem. One more
pair of eyes fwiw.
I did not look at the reported cross-site scripting issues.
--
jeff at cmh.net
More information about the freeside-users
mailing list