VWE-2011-0101 Printable Version
This page is a chapter in Info Known Vulnerabilities
The versions listed below are known to be affected by this issue. If you are using one of those versions, you should update to a newer release that has no known vulnerabilities.
Common Name None VWE-ID VWE-2011-0101 Related Report None Severity HIGH Exploit Difficulty EASY Platform Affects all platforms supported by the vulnerable versions. Description MySQL injection. A malicious user may be able to execute arbitrary MySQL when comparing wiki history revisions, by using a flaw in the logic for handling of oldid URL parameters for directional revision selection. Does not affect Lite versions.
Discovered February 18, 2011 Resolved February 28, 2011 Patches Available 3.0.11
3.0.10 Patch Level 1
3.0.9 Patch Level 1
3.0.8 Patch Level 1
3.0.7 Patch Level 1
3.0.6 Patch Level 1
3.0.5 Patch Level 1
3.0.4 Patch Level 1
3.0.3 Patch Level 1
3.0.2 Patch Level 1
3.0.1 Patch Level 1
Patch Was Unnecessary
On February 18, 2011, the bug in issue #2240 was found and fixed. This fix apparently created a MySQL injection vulnerability but was not yet public. The new vulnerability was discovered February 28, 2011. Due to a lack of version control systems for the life of the 3.x series, this vulnerability was assumed to already be public, and a patch was released rather than simply fixing it in the development version only.
Caveat: Since no version control system was in use at the time and internal security patch notes from 3.x were lost in 2015, the current explanation for this patch had to be extrapolated from peripheral data.