MediaCore CE Security Advisory: possible SQL injection

1 view
Skip to first unread message

Felix Schwarz

unread,
Apr 30, 2012, 6:21:40 AM4/30/12
to mediacore...@googlegroups.com
MediaCore CE uses a library named 'SQLAlchemy' for database interaction. This
library was found to be vulnerable for SQL injections [1]. The issue is listed
in the Common Vulnerabilities and Exposures Database as CVE-2012-0805 [2].
I'd like to thank Marco Mariani for notifying me about the issue.

[1] http://en.wikipedia.org/wiki/SQL_injection
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0805

A remote attacker can inject custom SQL in your MediaCore CE database to
read, modify, overwrite or delete MediaCore data in the database. Under
special circumstances the described bug might help an attacker exploiting bugs
in your database software to get elevated system access.

Affected versions: MediaCore (CE) 0.9.x
As far as I can see, MediaCore 0.7/0.8.x is not vulnerable to this issue.

Today I released MediaCore CE 0.9.2 which fixes the issue. This release
contains only a fix for the current security issue so it should be a safe
upgrade for all users of MediaCore CE 0.9.1. Installing the new version will
update SQLAlchemy in your virtualenv to 0.6.8.

You can download the new release from
github: https://github.com/mediacore/mediacore-community/zipball/v0.9.1

Upgrade instructions can be found in the MediaCore user documentation:
http://mediacorecommunity.org/docs/install/upgrade.html
To verify if the upgrade was successful, please check that SQLAlchemy 0.6.8
is present in your virtualenv!


If you are using a git "master" snapshot (internal version number 0.9.2dev)
please update your code to the latest git head in github's master branch.
Please note that several new features went into the master branch so a DB
upgrade is required.

Felix Schwarz

PS: If you need help in updating your version of MediaCore, you may be
interested in my professional services.

Felix Schwarz

unread,
Apr 30, 2012, 6:26:44 AM4/30/12
to mediacore...@googlegroups.com

Am 30.04.2012 12:21, schrieb Felix Schwarz:
> You can download the new release from
> github: https://github.com/mediacore/mediacore-community/zipball/v0.9.1

Darn, that was the old download URL. Please be sure to use the new one:
https://github.com/mediacore/mediacore-community/zipball/v0.9.2

Felix

Reply all
Reply to author
Forward
0 new messages