[Full-disclosure] Serious holes affecting JFFNMS
Tim Brown
timb at nth-dimension.org.uk
Sun Jun 10 20:53:41 BST 2007
As a result of a short security audit of JFFNMS, a number of security holes
were found, even from the perspective of a non authenticated user. The holes
included authentication bypass via SQL injection. Javascript injection and a
serious case of information disclosure. After liasing with the developers,
the holes have been resolved. Attached are the advisory and patch relating
to these flaws.
Tim
--
Tim Brown
<mailto:timb at nth-dimension.org.uk>
<http://www.nth-dimension.org.uk/>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: jffnms-0.8.3-security-v2.patch
Type: text/x-diff
Size: 2621 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070610/36b4e7a1/attachment.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: NDSA20070524.txt.asc
Type: application/pgp-keys
Size: 3665 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070610/36b4e7a1/attachment-0001.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070610/36b4e7a1/attachment-0002.bin
Full-Disclosure is hosted and sponsored by Secunia.