Menu

#81 Vulnerability to injections

v1.0 (example)
open
nobody
None
9
2019-09-06
2019-09-06
No

Got a PM reporting this vulnerability:

we found as part of our academic security research some SQL injection vulnerabilities in webchess 1.0. If you need further information or assistance, you can contact me any time.

We found that the following five parameters are vulnerable to SQL injections:
-messageFrom
-gameID
-opponent
-messageID
-to

We are interested in the following questions, which you may not be able to answer right now, but please keep us up-to-date once you know more:

1) Are you going to request CVE numbers [1] or should we request them?
2) Which other product versions are affected by the vulnerabilities?
3) When will you release a fixed version?
4) Which version fixes the vulnerabilities?

[1] https://cve.mitre.org

Please also keep us up-to-date regarding the vulnerabilities. You can reach us via mail at cst@sba-research.org Thank you!

Related

Bugs: #81

Discussion

  • Jonathan Evraire

    Thanks! I haven't replied yet to the original sender... I guess I don't
    personally plan on requesting CVE numbers so unless you want to they can.
    I'm not sure if/when I could look into this but ideally I'd like to leave
    the WebChess code base without any known vulnerabilities. So no immediate
    plans to look into this but I am curious, so may take a look myself in the
    near future.

    Of course feel free to fix these if you have the time! ;-) And thanks for
    sticking around so long!

    Jonathan

    On Fri, Sep 6, 2019, 11:37 Rodrigo Flores roflo1@users.sourceforge.net
    wrote:


    Status: open
    Group: v1.0 (example)
    Created: Fri Sep 06, 2019 03:37 PM UTC by Rodrigo Flores
    Last Updated: Fri Sep 06, 2019 03:37 PM UTC
    Owner: nobody

    Got a PM reporting this vulnerability:

    we found as part of our academic security research some SQL injection
    vulnerabilities in webchess 1.0. If you need further information or
    assistance, you can contact me any time.

    We found that the following five parameters are vulnerable to SQL
    injections:
    -messageFrom
    -gameID
    -opponent
    -messageID
    -to

    We are interested in the following questions, which you may not be able to
    answer right now, but please keep us up-to-date once you know more:

    1) Are you going to request CVE numbers [1] or should we request them?
    2) Which other product versions are affected by the vulnerabilities?
    3) When will you release a fixed version?
    4) Which version fixes the vulnerabilities?

    [1] https://cve.mitre.org

    Please also keep us up-to-date regarding the vulnerabilities. You can
    reach us via mail at cst@sba-research.org Thank you!


    Sent from sourceforge.net because you indicated interest in
    https://sourceforge.net/p/webchess/bugs/81/

    To unsubscribe from further messages, please visit
    https://sourceforge.net/auth/subscriptions/

     

    Related

    Bugs: #81

    • Rodrigo Flores

      Rodrigo Flores - 2019-09-06

      Yup, I'm still around. :)

      And I agree.
      With both the CVE request and the fact that it should be fixed regardless.

      Still don't know when I'll have some time to spare, so I'll leave it without an assigned owner in case someone else wants to grab it.

       

Log in to post a comment.