Fixes CVE-2014-3830 and CVE-2014-3978 #238

Open
wants to merge 1 commit into
from

Projects

None yet

3 participants

@breakingtech

No description provided.

@ghost
ghost commented Aug 13, 2014

I received this email, however I'm not sure what to do with it? I
followed the link(s) and it looks like it is changing some code in
Tomatocart however I'm not sure what it is supposed to fix? I've put in
a couple of bug reports for problems I have found. Do these fixes have
something to do with my Bug reports?

I apologize for any confusion, but I'm not a programmer and I'm not sure
how Github works and how to apply any fixes that might be stored there.

Any help will be appreciated.

Thanks
Frank Carey
papafrankc@gmail.com

On 8/5/2014 12:49 PM, breakingtech wrote:


    You can merge this Pull Request by running

git pull https://github.com/breakingtech/TomatoCart-v1 master

Or view, comment on, or merge it at:

#238

    Commit Summary


Reply to this email directly or view it on GitHub
#238.

@noncetonic

Since this has been open for forever...

@int2k @nazrulworld @adietuk @KonzolozZ

@ghost
ghost commented Sep 8, 2014

I clicked on the links in this email however I'm not sure why I received
it? Can you tell me the purpose of the email please? I am a Tomatocart
user however I don't understand the purpose of the email.

Thanks
Frank Carey

On 9/4/2014 9:45 AM, Connection wrote:

Since this has been open for forever...

@int2k https://github.com/int2k @nazrulworld
https://github.com/nazrulworld @adietuk https://github.com/adietuk
@KonzolozZ https://github.com/KonzolozZ


Reply to this email directly or view it on GitHub
#238 (comment).

@nyov
nyov commented Dec 7, 2014

Oh wow, this is how security patches are handled here?
Good thing I found it before checking out the code.

No wonder all the demo sites were broken or offline...

Timeline:
    06 June 2014   - CVE-2014-3978 assigned
    06 June 2014   - Submitted to vendor
    25 June 2014   - Received inadequate patch from vendor
    26 June 2014   - Suggested patch sent to vendor
    17 July 2014   - Request for update from vendor, no response.
    05 August 2014 - Pull request sent on github for full patch

Status:
    Vendor ignored, see suggested fix below.

Released:
    05 August 2014 -
https://breaking.technology/advisories/CVE-2014-3978.txt

Classification:
    SQL Injection

Exploit Complexity:
    Low

Severity:
    High

For the non-coders -- this allows people stealing all your customer and site data and messing up your shop real nice.
Looks like no security awareness here at all. Never mind the fix, I would suggest dropping this software like a hot potato.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment