Got a PM reporting this vulnerability:
we found as part of our academic security research some SQL injection vulnerabilities in webchess 1.0. If you need further information or assistance, you can contact me any time.
We found that the following five parameters are vulnerable to SQL injections:
-messageFrom
-gameID
-opponent
-messageID
-toWe are interested in the following questions, which you may not be able to answer right now, but please keep us up-to-date once you know more:
1) Are you going to request CVE numbers [1] or should we request them?
2) Which other product versions are affected by the vulnerabilities?
3) When will you release a fixed version?
4) Which version fixes the vulnerabilities?Please also keep us up-to-date regarding the vulnerabilities. You can reach us via mail at cst@sba-research.org Thank you!
Thanks! I haven't replied yet to the original sender... I guess I don't
personally plan on requesting CVE numbers so unless you want to they can.
I'm not sure if/when I could look into this but ideally I'd like to leave
the WebChess code base without any known vulnerabilities. So no immediate
plans to look into this but I am curious, so may take a look myself in the
near future.
Of course feel free to fix these if you have the time! ;-) And thanks for
sticking around so long!
Jonathan
On Fri, Sep 6, 2019, 11:37 Rodrigo Flores roflo1@users.sourceforge.net
wrote:
Related
Bugs: #81
Yup, I'm still around. :)
And I agree.
With both the CVE request and the fact that it should be fixed regardless.
Still don't know when I'll have some time to spare, so I'll leave it without an assigned owner in case someone else wants to grab it.