Home | Docs | Forums | Lists | Bugs | Planet | Store | GMN | Get Gentoo!
Not eligible to see or edit group visibility for this bug.
View Bug Activity | Format For Printing | XML | Clone This Bug
jffnms-0.8.3-r1 is vulnerable to the following issues: CVE-2007-3189 Cross-site scripting (XSS) vulnerability in auth.php in Just For Fun Network Management System (JFFNMS) 0.8.3 allows remote attackers to inject arbitrary web script or HTML via the user parameter. CVE-2007-3190 Multiple SQL injection vulnerabilities in auth.php in Just For Fun Network Management System (JFFNMS) 0.8.3, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) user and (2) pass parameters. CVE-2007-3191 Just For Fun Network Management System (JFFNMS) 0.8.3 allows remote attackers to obtain configuration information via a direct request to admin/adm/test.php, which calls the phpinfo function. CVE-2007-3192 admin/setup.php in Just For Fun Network Management System (JFFNMS) 0.8.3 allows remote attackers to read and modify configuration settings via a direct request. 0.8.4-pre3 fixed those issues. Patches against 0.8.3 are available attached.
Created an attachment (id=130644) [details] 20_security.dpatch Patches as shipped by Debian.
Thank you, Robert, for report. jffnms-0.8.3-r2 is in the tree. This package was never stable and vulnerable versions are removed from the tree, so I think this bug is done.
Closing, there never was a stable version. Setting status to noglsa.
