[jifty-devel] Security weaknesses in Jifty::DBI
Shawn M Moore
sartak at bestpractical.com
Fri Apr 15 10:38:59 EDT 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
We have audited the Jifty::DBI code and have found several weaknesses.
We recommend that sites with Jifty deployments upgrade its Jifty::DBI to
0.68.
Jifty::DBI versions up to and including 0.67 have SQL injection
weaknesses that could cause applications to have vulnerabilities,
depending on how they pass user-provided data into Jifty::DBI method
calls. We do not believe attacks to be capable of directly inserting,
altering or removing data from the database, but a user could possibly
use them to retrieve unauthorized data.
Be sure to run your application's test suite against Jifty::DBI 0.68,
because Jifty::DBI now rejects some previously-accepted abuses of method
parameters. For example, if your application passes a function call in
the "column" parameter of the limit() method, you must change this to
use the "function" parameter instead.
You can get Jifty::DBI 0.68 from a CPAN mirror near you, using your
ordinary CPAN client or by downloading the following tarball:
http://search.cpan.org/CPAN/authors/id/S/SA/SARTAK/Jifty-DBI-0.68.tar.gz
4f2d2c10f225a8e10afc04fb2745e99bd3dd5d4b Jifty-DBI-0.68.tar.gz
Shawn
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (Darwin)
iEYEARECAAYFAk2oWFIACgkQsxfQtHhyRPqxgwCfdkwoRx1PMy3N4FOQQpqY8UBv
Mi0AmwbodoroanPnpyr30AvqrN1J1rjC
=15G6
-----END PGP SIGNATURE-----
More information about the jifty-devel
mailing list