[Vtigercrm-developers] vTiger mulitple vulnerabilities

Mike Fedyk mfedyk at mikefedyk.com
Wed Aug 23 18:11:56 PDT 2006


I don't know if there is a branch for 4.2.5 yet, but if there are 
security issues in 4.2.4 then 4.2.5 should only contain security fixes. 
4.2.6 can be based off of 4.2-trunk.

Brett Hooker wrote:
> Business users will need a patch as they have weigh up testing and 
> learning the latest features, versus fixing a security hole right now. 
> Inclusion in the trunk is assumed.
>
> Mike Fedyk wrote:
>>
>> If there are any patches published, they should go into the 4.2.5 
>> release. No more “patch” releases. That is what point releases are for.
>>
>> ------------------------------------------------------------------------
>>
>> *From:* vtigercrm-developers-bounces at lists.vtigercrm.com 
>> [mailto:vtigercrm-developers-bounces at lists.vtigercrm.com] *On Behalf 
>> Of *Gopal
>> *Sent:* Tuesday, August 22, 2006 9:23 PM
>> *To:* vtigercrm-developers at lists.vtigercrm.com
>> *Subject:* Re: [Vtigercrm-developers] vTiger mulitple vulnerabilities
>>
>> Dear Mike O'Loan,
>>
>> Thanks for notifying issues in some of the modules. We will ensure 
>> that these issues are fixed immediately. If required we will release 
>> a patch for v4.2.3 immediately.
>>
>> Regards,
>> Gopal
>> ---
>> S.S.G.Gopal
>> skype: sripadag
>> ph: +1 877 788 4437
>> blog: http://gopal.vtiger.com
>>
>>
>>
>>
>> ---- On Tue, 22 Aug 2006 *Mike O'Loan <mike.oloan at saucesoft.com>* 
>> wrote ----
>>
>> The following files still have the same SQL injection vulnerability, 
>> carried over from vTiger 4.2.3. Although these aren't a problem with 
>> magic_quotes_gpc turned ON, it still needs to be fixed. It has been 
>> fixed in other modules by putting the PearDatabase::quote() function 
>> around any variable that needs to be placed in an SQL statement.
>>
>> Affected files:
>> modules\Faq\ListView.php
>> modules\HelpDesk\ListView.php
>> modules\Invoice\Popup.php
>> modules\Leads\ListView.php
>> modules\Leads\Popup.php
>> modules\Products\Popup.php
>>
>> Implementing this would reduce the SQL injection vulnerability for 
>> vTiger 4.2.x
>>
>> -- 
>> Mike O'Loan
>> Chief Technical Officer
>> Sauce Software Pty Ltd
>>
>>
>> http://saucesoft.com
>> Phone: +61 1300 559 165
>> Fax: +61 7 3009 0442
>> Email: mike.oloan at saucesoft.com <mailto:mike.oloan at saucesoft.com> 
>> _______________________________________________
>> Get started with creating presentations online - http://zohoshow.com?vt
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Get started with creating presentations online - http://zohoshow.com?vt 
> ------------------------------------------------------------------------
>
> _______________________________________________
> Get started with creating presentations online - http://zohoshow.com?vt 



More information about the vtigercrm-developers mailing list