<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
Business users will need a patch as they have weigh up testing and
learning the latest features, versus fixing a security hole right now.
Inclusion in the trunk is assumed.<br>
<br>
Mike Fedyk wrote:
<blockquote cite="mid008001c6c70c$6357c7f0$6a01a8c0@mikefedyk"
type="cite">
<meta http-equiv="Content-Type" content="text/html; ">
<meta name="Generator" content="Microsoft Word 11 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:blue;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:Arial;
color:navy;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
-->
</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="Section1">
<p class="MsoNormal"><font color="navy" face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial; color: navy;">If there are
any patches published, they
should go into the 4.2.5 release. No more “patch”
releases. That is what point releases are for.<o:p></o:p></span></font></p>
<p class="MsoNormal"><font color="navy" face="Arial" size="2"><span
style="font-size: 10pt; font-family: Arial; color: navy;"><o:p> </o:p></span></font></p>
<div>
<div class="MsoNormal" style="text-align: center;" align="center"><font
face="Times New Roman" size="3"><span style="font-size: 12pt;">
<hr tabindex="-1" align="center" size="2" width="100%"></span></font></div>
<p class="MsoNormal"><b><font face="Tahoma" size="2"><span
style="font-size: 10pt; font-family: Tahoma; font-weight: bold;">From:</span></font></b><font
face="Tahoma" size="2"><span
style="font-size: 10pt; font-family: Tahoma;">
<a class="moz-txt-link-abbreviated" href="mailto:vtigercrm-developers-bounces@lists.vtigercrm.com">vtigercrm-developers-bounces@lists.vtigercrm.com</a>
[<a class="moz-txt-link-freetext" href="mailto:vtigercrm-developers-bounces@lists.vtigercrm.com">mailto:vtigercrm-developers-bounces@lists.vtigercrm.com</a>] <b><span
style="font-weight: bold;">On Behalf Of </span></b>Gopal<br>
<b><span style="font-weight: bold;">Sent:</span></b> Tuesday, August
22, 2006
9:23 PM<br>
<b><span style="font-weight: bold;">To:</span></b>
<a class="moz-txt-link-abbreviated" href="mailto:vtigercrm-developers@lists.vtigercrm.com">vtigercrm-developers@lists.vtigercrm.com</a><br>
<b><span style="font-weight: bold;">Subject:</span></b> Re:
[Vtigercrm-developers] vTiger mulitple vulnerabilities</span></font><o:p></o:p></p>
</div>
<p class="MsoNormal"><font face="Times New Roman" size="3"><span
style="font-size: 12pt;"><o:p> </o:p></span></font></p>
<p class="MsoNormal" style="margin-bottom: 12pt;"><font
face="Times New Roman" size="3"><span style="font-size: 12pt;">Dear
Mike O'Loan,<br>
<br>
Thanks for notifying issues in some of the modules. We will ensure that
these
issues are fixed immediately. If required we will release a patch for
v4.2.3
immediately.<br>
<br>
Regards,<br>
Gopal<br>
--- <br>
S.S.G.Gopal <br>
skype: sripadag <br>
ph: +1 877 788 4437 <br>
blog: <a class="moz-txt-link-freetext" href="http://gopal.vtiger.com">http://gopal.vtiger.com</a><br>
<br>
<br>
<br>
<br>
---- On Tue, 22 Aug 2006 <b><span style="font-weight: bold;">Mike
O'Loan
<a class="moz-txt-link-rfc2396E" href="mailto:mike.oloan@saucesoft.com"><mike.oloan@saucesoft.com></a></span></b> wrote ---- <o:p></o:p></span></font></p>
<p class="MsoNormal"><font face="Times New Roman" size="3"><span
style="font-size: 12pt;">The following files still have the same SQL
injection vulnerability,
carried over from vTiger 4.2.3. Although these aren't a problem with
magic_quotes_gpc turned ON, it still needs to be fixed. It has been
fixed in
other modules by putting the PearDatabase::quote() function around any
variable
that needs to be placed in an SQL statement. <br>
<br>
Affected files:<br>
modules\Faq\ListView.php<br>
modules\HelpDesk\ListView.php<br>
modules\Invoice\Popup.php<br>
modules\Leads\ListView.php<br>
modules\Leads\Popup.php<br>
modules\Products\Popup.php<br clear="all">
<br>
Implementing this would reduce the SQL injection vulnerability for
vTiger 4.2.x<br>
<br>
-- <br>
Mike O'Loan<br>
Chief Technical Officer<br>
Sauce Software Pty Ltd<br>
<br>
<br>
<a href="http://saucesoft.com" target="_blank">http://saucesoft.com</a><br>
Phone: +61 1300 559 165<br>
Fax: +61 7 3009 0442 <br>
Email: <a href="mailto:mike.oloan@saucesoft.com" target="_blank">mike.oloan@saucesoft.com</a>
_______________________________________________<br>
Get started with creating presentations online - <a
href="http://zohoshow.com?vt" target="_blank">http://zohoshow.com?vt</a>
<o:p></o:p></span></font></p>
</div>
<pre wrap="">
<hr size="4" width="90%">
_______________________________________________
Get started with creating presentations online - <a class="moz-txt-link-freetext" href="http://zohoshow.com?vt">http://zohoshow.com?vt</a> </pre>
</blockquote>
</body>
</html>