[jifty-devel] Security weaknesses in Jifty::DBI
Shawn M Moore
sartak at bestpractical.com
Fri Apr 15 10:38:59 EDT 2011
-----BEGIN PGP SIGNED MESSAGE-----
We have audited the Jifty::DBI code and have found several weaknesses.
We recommend that sites with Jifty deployments upgrade its Jifty::DBI to
Jifty::DBI versions up to and including 0.67 have SQL injection
weaknesses that could cause applications to have vulnerabilities,
depending on how they pass user-provided data into Jifty::DBI method
calls. We do not believe attacks to be capable of directly inserting,
altering or removing data from the database, but a user could possibly
use them to retrieve unauthorized data.
Be sure to run your application's test suite against Jifty::DBI 0.68,
because Jifty::DBI now rejects some previously-accepted abuses of method
parameters. For example, if your application passes a function call in
the "column" parameter of the limit() method, you must change this to
use the "function" parameter instead.
You can get Jifty::DBI 0.68 from a CPAN mirror near you, using your
ordinary CPAN client or by downloading the following tarball:
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (Darwin)
-----END PGP SIGNATURE-----
More information about the jifty-devel