Ticket #4322 (closed defect (bug): fixed)

Opened 5 years ago

Last modified 4 years ago

Sql injection blind fishing exploit

Reported by: DrHallows Owned by: anonymous
Priority: highest omg bbq Milestone: 2.0.11
Component: Security Version: 2.1.3
Severity: critical Keywords: security, bug
Cc:

Description

BIG security bug in "admin-ajax.php" sql injection blind fishing exploit More info on:  http://www.waraxe.us/ftopict-1780.html#7560

Attachments

test.php Download (11.3 KB) - added by DrHallows 5 years ago.

Change History

DrHallows5 years ago

comment:1   markjaquith5 years ago

  • Keywords security, added; securtiy, removed
  • Status changed from new to closed
  • Resolution set to fixed
  • Milestone changed from 2.2.1 to 2.0.11

Fixed for 2.2, 2.0.11 (soon to be released) and in trunk for 2.3

[5440]

[5441]

[5442]

comment:2 follow-up: ↓ 3   hvdkamer5 years ago

  • Status changed from closed to reopened
  • Resolution fixed deleted

According to  this page:

"None of these are safe to use, except the latest in the 2.0 or 2.1 series, which are both actively maintained."

However version 2.1.3 is still not patched for this bug?

comment:3 in reply to: ↑ 2   westi5 years ago

  • Status changed from reopened to closed
  • Resolution set to fixed

Replying to hvdkamer:

According to  this page:

"None of these are safe to use, except the latest in the 2.0 or 2.1 series, which are both actively maintained."

However version 2.1.3 is still not patched for this bug?

2.1.3 will not be patched.

The only security supported versions are 2.0.x and 2.2.x

This fix is in 2.2.1 which has just gone RC.

Note: See TracTickets for help on using tickets.