Question

We found the following security report CVE-2014-3719 regarding Aleph:
http://packetstormsecurity.com/files/126635/Aleph-500-SQL-Injection.html published on May 16, 2014.

Could you provide any information that you have related to this? Is this something that we should be concerned about?

Answer

Our Security Office has reviewed the SQL Injection issue with Aleph Development, and they have determined that Aleph 20 is not affected by this vulnerability.

We are aware that some Aleph customers use the cgi-bin directory to run scripts using the Apache platform ( http://httpd.apache.org/docs/2.2/howto/cgi.html ). We are aware of two specific scripts (review_m.cgi and tag_m.cgi) that are affected, but the Aleph “out of the box” software does not provide these scripts, therefore it is not an Aleph vulnerability.

• Article last edited: 8/4/2014