
<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns="http://www.w3.org/TR/REC-html40">


<head>

<meta http-equiv=Content-Type content="text/html; charset=us-ascii">

<meta name=Generator content="Microsoft Word 11 (filtered medium)">

<!--[if !mso]>

<style>

v\:* {behavior:url(#default#VML);}

o\:* {behavior:url(#default#VML);}

w\:* {behavior:url(#default#VML);}

.shape {behavior:url(#default#VML);}

</style>

<![endif]-->

<style>

<!--

 /* Font Definitions */

 @font-face

        {font-family:Tahoma;

        panose-1:2 11 6 4 3 5 4 4 2 4;}

 /* Style Definitions */

 p.MsoNormal, li.MsoNormal, div.MsoNormal

        {margin:0in;

        margin-bottom:.0001pt;

        font-size:12.0pt;

        font-family:"Times New Roman";}

a:link, span.MsoHyperlink

        {color:blue;

        text-decoration:underline;}

a:visited, span.MsoHyperlinkFollowed

        {color:blue;

        text-decoration:underline;}

span.EmailStyle17

        {mso-style-type:personal-reply;

        font-family:Arial;

        color:navy;}

@page Section1

        {size:8.5in 11.0in;

        margin:1.0in 1.25in 1.0in 1.25in;}

div.Section1

        {page:Section1;}

-->

</style>

<!--[if gte mso 9]><xml>

 <o:shapedefaults v:ext="edit" spidmax="1026" />

</xml><![endif]--><!--[if gte mso 9]><xml>

 <o:shapelayout v:ext="edit">

  <o:idmap v:ext="edit" data="1" />

 </o:shapelayout></xml><![endif]-->

</head>


<body lang=EN-US link=blue vlink=blue>


<div class=Section1>


<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:

10.0pt;font-family:Arial;color:navy'>If there are any patches published, they

should go into the 4.2.5 release.&nbsp; No more &#8220;patch&#8221;

releases.&nbsp; That is what point releases are for.<o:p></o:p></span></font></p>


<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:

10.0pt;font-family:Arial;color:navy'><o:p>&nbsp;</o:p></span></font></p>


<div>


<div class=MsoNormal align=center style='text-align:center'><font size=3

face="Times New Roman"><span style='font-size:12.0pt'>


<hr size=2 width="100%" align=center tabindex=-1>


</span></font></div>


<p class=MsoNormal><b><font size=2 face=Tahoma><span style='font-size:10.0pt;

font-family:Tahoma;font-weight:bold'>From:</span></font></b><font size=2

face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'>

vtigercrm-developers-bounces@lists.vtigercrm.com

[mailto:vtigercrm-developers-bounces@lists.vtigercrm.com] <b><span

style='font-weight:bold'>On Behalf Of </span></b>Gopal<br>

<b><span style='font-weight:bold'>Sent:</span></b> Tuesday, August 22, 2006

9:23 PM<br>

<b><span style='font-weight:bold'>To:</span></b>

vtigercrm-developers@lists.vtigercrm.com<br>

<b><span style='font-weight:bold'>Subject:</span></b> Re:

[Vtigercrm-developers] vTiger mulitple vulnerabilities</span></font><o:p></o:p></p>


</div>


<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:

12.0pt'><o:p>&nbsp;</o:p></span></font></p>


<p class=MsoNormal style='margin-bottom:12.0pt'><font size=3

face="Times New Roman"><span style='font-size:12.0pt'>Dear Mike O'Loan,<br>

<br>

Thanks for notifying issues in some of the modules. We will ensure that these

issues are fixed immediately. If required we will release a patch for v4.2.3

immediately.<br>

<br>

Regards,<br>

Gopal<br>

--- <br>

S.S.G.Gopal <br>

skype: sripadag <br>

ph: +1 877 788 4437 <br>

blog: http://gopal.vtiger.com<br>

<br>

<br>

<br>

<br>

---- On Tue, 22 Aug 2006 <b><span style='font-weight:bold'>Mike O'Loan

&lt;mike.oloan@saucesoft.com&gt;</span></b> wrote ---- <o:p></o:p></span></font></p>


<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:

12.0pt'>The following files still have the same SQL injection vulnerability,

carried over from vTiger 4.2.3. Although these aren't a problem with

magic_quotes_gpc turned ON, it still needs to be fixed. It has been fixed in

other modules by putting the PearDatabase::quote() function around any variable

that needs to be placed in an SQL statement. <br>

<br>

Affected files:<br>

modules\Faq\ListView.php<br>

modules\HelpDesk\ListView.php<br>

modules\Invoice\Popup.php<br>

modules\Leads\ListView.php<br>

modules\Leads\Popup.php<br>

modules\Products\Popup.php<br clear=all>

<br>

Implementing this would reduce the SQL injection vulnerability for vTiger 4.2.x<br>

<br>

-- <br>

Mike O'Loan<br>

Chief Technical Officer<br>

Sauce Software Pty Ltd<br>

<br>

<br>

&nbsp;&nbsp;&nbsp;&nbsp; <a href="http://saucesoft.com" target="_blank">http://saucesoft.com</a><br>

&nbsp;&nbsp;&nbsp;&nbsp; Phone: +61 1300 559 165<br>

&nbsp;&nbsp;&nbsp;&nbsp; Fax: +61 7 3009 0442 <br>

&nbsp;&nbsp;&nbsp;&nbsp; Email: <a href="mailto:mike.oloan@saucesoft.com"

target="_blank">mike.oloan@saucesoft.com</a>

_______________________________________________<br>

Get started with creating presentations online - <a

href="http://zohoshow.com?vt" target="_blank">http://zohoshow.com?vt</a> <o:p></o:p></span></font></p>


</div>


</body>


</html>