Discussion:
[jifty-devel] Security weaknesses in Jifty::DBI
Shawn M Moore
2011-04-15 14:38:59 UTC
Permalink
We have audited the Jifty::DBI code and have found several weaknesses.
We recommend that sites with Jifty deployments upgrade its Jifty::DBI to
0.68.

Jifty::DBI versions up to and including 0.67 have SQL injection
weaknesses that could cause applications to have vulnerabilities,
depending on how they pass user-provided data into Jifty::DBI method
calls. We do not believe attacks to be capable of directly inserting,
altering or removing data from the database, but a user could possibly
use them to retrieve unauthorized data.

Be sure to run your application's test suite against Jifty::DBI 0.68,
because Jifty::DBI now rejects some previously-accepted abuses of method
parameters. For example, if your application passes a function call in
the "column" parameter of the limit() method, you must change this to
use the "function" parameter instead.

You can get Jifty::DBI 0.68 from a CPAN mirror near you, using your
ordinary CPAN client or by downloading the following tarball:

http://search.cpan.org/CPAN/authors/id/S/SA/SARTAK/Jifty-DBI-0.68.tar.gz

4f2d2c10f225a8e10afc04fb2745e99bd3dd5d4b Jifty-DBI-0.68.tar.gz

Shawn
Yves Agostini
2011-04-15 20:21:02 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
We have audited the Jifty::DBI code and have found several weaknesses.
We recommend that sites with Jifty deployments upgrade its Jifty::DBI to
0.68.
Jifty::DBI versions up to and including 0.67 have SQL injection
weaknesses that could cause applications to have vulnerabilities,
depending on how they pass user-provided data into Jifty::DBI method
calls. We do not believe attacks to be capable of directly inserting,
altering or removing data from the database, but a user could possibly
use them to retrieve unauthorized data.
Be sure to run your application's test suite against Jifty::DBI 0.68,
because Jifty::DBI now rejects some previously-accepted abuses of method
parameters. For example, if your application passes a function call in
the "column" parameter of the limit() method, you must change this to
use the "function" parameter instead.
You can get Jifty::DBI 0.68 from a CPAN mirror near you, using your
http://search.cpan.org/CPAN/authors/id/S/SA/SARTAK/Jifty-DBI-0.68.tar.gz
4f2d2c10f225a8e10afc04fb2745e99bd3dd5d4b Jifty-DBI-0.68.tar.gz
Shawn
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (Darwin)
iEYEARECAAYFAk2oWFIACgkQsxfQtHhyRPqxgwCfdkwoRx1PMy3N4FOQQpqY8UBv
Mi0AmwbodoroanPnpyr30AvqrN1J1rjC
=15G6
-----END PGP SIGNATURE-----
attached file contains a quilt patch to backport the fix for Jifty-DBI-0.60
packaged in Debian Sueeze (stable) and Ubuntu 10.04 LTS

Best regards

Yves
--
---------------------------------------------------------------
Yves Agostini CRI - Université Paul Verlaine -Metz
***@univ-metz.fr http://www.crium.univ-metz.fr
tel: 03 87 31 52 63 fax: 03 87 31 53 33 PGP: 842CC261
Yves Agostini
2011-04-15 20:21:02 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
We have audited the Jifty::DBI code and have found several weaknesses.
We recommend that sites with Jifty deployments upgrade its Jifty::DBI to
0.68.
Jifty::DBI versions up to and including 0.67 have SQL injection
weaknesses that could cause applications to have vulnerabilities,
depending on how they pass user-provided data into Jifty::DBI method
calls. We do not believe attacks to be capable of directly inserting,
altering or removing data from the database, but a user could possibly
use them to retrieve unauthorized data.
Be sure to run your application's test suite against Jifty::DBI 0.68,
because Jifty::DBI now rejects some previously-accepted abuses of method
parameters. For example, if your application passes a function call in
the "column" parameter of the limit() method, you must change this to
use the "function" parameter instead.
You can get Jifty::DBI 0.68 from a CPAN mirror near you, using your
http://search.cpan.org/CPAN/authors/id/S/SA/SARTAK/Jifty-DBI-0.68.tar.gz
4f2d2c10f225a8e10afc04fb2745e99bd3dd5d4b Jifty-DBI-0.68.tar.gz
Shawn
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (Darwin)
iEYEARECAAYFAk2oWFIACgkQsxfQtHhyRPqxgwCfdkwoRx1PMy3N4FOQQpqY8UBv
Mi0AmwbodoroanPnpyr30AvqrN1J1rjC
=15G6
-----END PGP SIGNATURE-----
attached file contains a quilt patch to backport the fix for Jifty-DBI-0.60
packaged in Debian Sueeze (stable) and Ubuntu 10.04 LTS

Best regards

Yves
--
---------------------------------------------------------------
Yves Agostini CRI - Université Paul Verlaine -Metz
***@univ-metz.fr http://www.crium.univ-metz.fr
tel: 03 87 31 52 63 fax: 03 87 31 53 33 PGP: 842CC261
Loading...