MediaCore CE Security Advisory: possible SQL injection
0 views
Skip to first unread message
Felix Schwarz
Apr 30, 2012, 2:46:10 PM4/30/12
to mediacore-...@googlegroups.com
MediaCore CE uses a library named 'SQLAlchemy' for database interaction. This
library was found to be vulnerable for SQL injections [1]. The issue is listed
in the Common Vulnerabilities and Exposures Database as CVE-2012-0805 [2].
I'd like to thank Marco Mariani for notifying me about the issue.
[1] http://en.wikipedia.org/wiki/SQL_injection
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0805
A remote attacker can inject custom SQL in your MediaCore CE database to
read, modify, overwrite or delete MediaCore data in the database. Under
special circumstances the described bug might help an attacker exploiting bugs
in your database software to get elevated system access.
Affected versions: MediaCore (CE) 0.9.x
As far as I can see, MediaCore 0.7/0.8.x is not vulnerable to this issue.
Today I released MediaCore CE 0.9.2 which fixes the issue. This release
contains only a fix for the current security issue so it should be a safe
upgrade for all users of MediaCore CE 0.9.1. Installing the new version will
update SQLAlchemy in your virtualenv to 0.6.8.
You can download the new release from
github: https://github.com/mediacore/mediacore-community/zipball/v0.9.2
Upgrade instructions can be found in the MediaCore user documentation:
http://mediacorecommunity.org/docs/install/upgrade.html
To verify if the upgrade was successful, please check that SQLAlchemy 0.6.8
is present in your virtualenv!
If you are using a git "master" snapshot (internal version number 0.9.2dev)
please update your code to the latest git head in github's master branch.
Please note that several new features went into the master branch so a DB
upgrade is required.
Felix Schwarz
PS: You might want to subscribe to the MediaCore CE announce mailing list
which is very low traffic. Announcements (new releases security issues, ...)
will be made there first: http://groups.google.com/group/mediacore-announce/
library was found to be vulnerable for SQL injections [1]. The issue is listed
in the Common Vulnerabilities and Exposures Database as CVE-2012-0805 [2].
I'd like to thank Marco Mariani for notifying me about the issue.
[1] http://en.wikipedia.org/wiki/SQL_injection
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0805
A remote attacker can inject custom SQL in your MediaCore CE database to
read, modify, overwrite or delete MediaCore data in the database. Under
special circumstances the described bug might help an attacker exploiting bugs
in your database software to get elevated system access.
Affected versions: MediaCore (CE) 0.9.x
As far as I can see, MediaCore 0.7/0.8.x is not vulnerable to this issue.
Today I released MediaCore CE 0.9.2 which fixes the issue. This release
contains only a fix for the current security issue so it should be a safe
upgrade for all users of MediaCore CE 0.9.1. Installing the new version will
update SQLAlchemy in your virtualenv to 0.6.8.
You can download the new release from
github: https://github.com/mediacore/mediacore-community/zipball/v0.9.2
Upgrade instructions can be found in the MediaCore user documentation:
http://mediacorecommunity.org/docs/install/upgrade.html
To verify if the upgrade was successful, please check that SQLAlchemy 0.6.8
is present in your virtualenv!
If you are using a git "master" snapshot (internal version number 0.9.2dev)
please update your code to the latest git head in github's master branch.
Please note that several new features went into the master branch so a DB
upgrade is required.
Felix Schwarz
PS: You might want to subscribe to the MediaCore CE announce mailing list
which is very low traffic. Announcements (new releases security issues, ...)
will be made there first: http://groups.google.com/group/mediacore-announce/
Reply all
Reply to author
Forward
0 new messages