MediaCore CE Security Advisory: possible SQL injection
2 views
Skip to first unread message
Felix Schwarz
Apr 30, 2012, 6:21:40 AM4/30/12
to mediacore...@googlegroups.com
MediaCore CE uses a library named 'SQLAlchemy' for database interaction. This
library was found to be vulnerable for SQL injections [1]. The issue is listed
in the Common Vulnerabilities and Exposures Database as CVE-2012-0805 [2].
I'd like to thank Marco Mariani for notifying me about the issue.
[1] http://en.wikipedia.org/wiki/SQL_injection
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0805
A remote attacker can inject custom SQL in your MediaCore CE database to
read, modify, overwrite or delete MediaCore data in the database. Under
special circumstances the described bug might help an attacker exploiting bugs
in your database software to get elevated system access.
Affected versions: MediaCore (CE) 0.9.x
As far as I can see, MediaCore 0.7/0.8.x is not vulnerable to this issue.
Today I released MediaCore CE 0.9.2 which fixes the issue. This release
contains only a fix for the current security issue so it should be a safe
upgrade for all users of MediaCore CE 0.9.1. Installing the new version will
update SQLAlchemy in your virtualenv to 0.6.8.
You can download the new release from
github: https://github.com/mediacore/mediacore-community/zipball/v0.9.1
Upgrade instructions can be found in the MediaCore user documentation:
http://mediacorecommunity.org/docs/install/upgrade.html
To verify if the upgrade was successful, please check that SQLAlchemy 0.6.8
is present in your virtualenv!
If you are using a git "master" snapshot (internal version number 0.9.2dev)
please update your code to the latest git head in github's master branch.
Please note that several new features went into the master branch so a DB
upgrade is required.
Felix Schwarz
PS: If you need help in updating your version of MediaCore, you may be
interested in my professional services.
library was found to be vulnerable for SQL injections [1]. The issue is listed
in the Common Vulnerabilities and Exposures Database as CVE-2012-0805 [2].
I'd like to thank Marco Mariani for notifying me about the issue.
[1] http://en.wikipedia.org/wiki/SQL_injection
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0805
A remote attacker can inject custom SQL in your MediaCore CE database to
read, modify, overwrite or delete MediaCore data in the database. Under
special circumstances the described bug might help an attacker exploiting bugs
in your database software to get elevated system access.
Affected versions: MediaCore (CE) 0.9.x
As far as I can see, MediaCore 0.7/0.8.x is not vulnerable to this issue.
Today I released MediaCore CE 0.9.2 which fixes the issue. This release
contains only a fix for the current security issue so it should be a safe
upgrade for all users of MediaCore CE 0.9.1. Installing the new version will
update SQLAlchemy in your virtualenv to 0.6.8.
You can download the new release from
github: https://github.com/mediacore/mediacore-community/zipball/v0.9.1
Upgrade instructions can be found in the MediaCore user documentation:
http://mediacorecommunity.org/docs/install/upgrade.html
To verify if the upgrade was successful, please check that SQLAlchemy 0.6.8
is present in your virtualenv!
If you are using a git "master" snapshot (internal version number 0.9.2dev)
please update your code to the latest git head in github's master branch.
Please note that several new features went into the master branch so a DB
upgrade is required.
Felix Schwarz
PS: If you need help in updating your version of MediaCore, you may be
interested in my professional services.
Felix Schwarz
Apr 30, 2012, 6:26:44 AM4/30/12
to mediacore...@googlegroups.com
Am 30.04.2012 12:21, schrieb Felix Schwarz:
> You can download the new release from
> github: https://github.com/mediacore/mediacore-community/zipball/v0.9.1
https://github.com/mediacore/mediacore-community/zipball/v0.9.2
Felix
Reply all
Reply to author
Forward
0 new messages