[Vtigercrm-developers] vTiger mulitple vulnerabilities

Wed Aug 23 16:32:24 PDT 2006

If there are any patches published, they should go into the 4.2.5 release.
No more "patch" releases.  That is what point releases are for.

  _____  

From: vtigercrm-developers-bounces at lists.vtigercrm.com
[mailto:vtigercrm-developers-bounces at lists.vtigercrm.com] On Behalf Of Gopal
Sent: Tuesday, August 22, 2006 9:23 PM
To: vtigercrm-developers at lists.vtigercrm.com
Subject: Re: [Vtigercrm-developers] vTiger mulitple vulnerabilities

Dear Mike O'Loan,

Thanks for notifying issues in some of the modules. We will ensure that
these issues are fixed immediately. If required we will release a patch for
v4.2.3 immediately.

Regards,
Gopal
--- 
S.S.G.Gopal 
skype: sripadag 
ph: +1 877 788 4437 
blog: http://gopal.vtiger.com

---- On Tue, 22 Aug 2006 Mike O'Loan <mike.oloan at saucesoft.com> wrote ---- 

The following files still have the same SQL injection vulnerability, carried
over from vTiger 4.2.3. Although these aren't a problem with
magic_quotes_gpc turned ON, it still needs to be fixed. It has been fixed in
other modules by putting the PearDatabase::quote() function around any
variable that needs to be placed in an SQL statement. 

Affected files:
modules\Faq\ListView.php
modules\HelpDesk\ListView.php
modules\Invoice\Popup.php
modules\Leads\ListView.php
modules\Leads\Popup.php
modules\Products\Popup.php

Implementing this would reduce the SQL injection vulnerability for vTiger
4.2.x

-- 
Mike O'Loan
Chief Technical Officer
Sauce Software Pty Ltd

     http://saucesoft.com
     Phone: +61 1300 559 165
     Fax: +61 7 3009 0442 
     Email: mike.oloan at saucesoft.com
_______________________________________________
Get started with creating presentations online - http://zohoshow.com?vt 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20060823/ddb8b068/attachment-0004.html 