zarb-ml/mageia-dev/attachments/20120409/ea181ca7/attachment.html


1
2
3
4

ping?<br><br>在 2012年4月9日星期一，Funda Wang &lt;<a href="mailto:fundawang@gmail.com">fundawang@gmail.com</a>&gt; 写道：<br>&gt; ping?<br>&gt;<br>&gt; 2012/4/8 Funda Wang &lt;<a href="mailto:fundawang@gmail.com">fundawang@gmail.com</a>&gt;:<br>
&gt;&gt; Hello,<br>&gt;&gt;<br>&gt;&gt; Could somebody pushing redmine 1.3.2 into cauldron?<br>&gt;&gt;<br>&gt;&gt; Redmine before 1.3.2 does not properly restrict the use of a hash to<br>&gt;&gt; provide values for a model&#39;s attributes, which allows remote attackers<br>
&gt;&gt; to set attributes in the (1) Comment, (2) Document, (3) IssueCategory,<br>&gt;&gt; (4) MembersController, (5) Message, (6) News, (7) TimeEntry, (8)<br>&gt;&gt; Version, (9) Wiki, (10) UserPreference, or (11) Board model via a<br>
&gt;&gt; modified URL, related to a &quot;mass assignment&quot; vulnerability, a<br>&gt;&gt; different vulnerability than CVE-2012-0327.<br>&gt;&gt;<br>&gt;&gt; Thanks.<br>&gt;