For details please see: http://seclists.org/fulldisclosure/2013/Dec/199
Are these issues already fixed in some version? If not, do you have a plan already?
Are these issues tracked in some issue tracker?
Have you requested CVE identifiers for these security updates?
This is the first communication I've received regarding the issue. Will look into this immediately.
Henri, you are a gentleman for posting a ticket here where anyone active on the project see it. Thank you!
In answer to your questions (as far as I know):
The disclosed issues have now been fixed. I've written a wiki page to provide more details - https://github.com/fatfreecrm/fat_free_crm/wiki/Fixing-security-vulnerabilities-(27th-Dec-2013) and announced on the Fat Free CRM Users list
I can request CVE identifiers for these issues. Thank you for reacting quickly.
CVEs requested http://www.openwall.com/lists/oss-security/2013/12/28/1
CVEs have been assigned. Few comments from Mitre too. Could you please answer.
CVE-2013-7222: Known Session Secret
CVE-2013-7223: Lack of CSRF Protection
CVE-2013-7224: Default to_json for models
CVE-2013-7225: Multiple SQL Injections
For item 3: if there is an information-disclosure vulnerability
involving to_xml, please let us know and we can assign an additional
CVE ID. The joernchen advisory mentioned only to_json, and therefore
to_xml has a different discoverer and may require a separate CVE ID.
If there is a denial of service issue involving :delete, please let us
know and we can assign an additional CVE ID. The joernchen advisory
mentioned only "renders JSON requests with a full JSON object," and
therefore :delete has a different discoverer and may require a
separate CVE ID.
CVE-2013-7249 also assigned for the to_xml variant of CVE-2013-7224
Just to be sure, because I do not see it obviously covered:
Is the issue of exposing the list of all user names (or email addresses) handled?
As noted in a reply to the original report,
view the source of:
showing a list of users.
In case you missed it, the 2nd security advisory has been released. I'm going to close this issue now.