123442 2006-02-19 21:35 0000 dev-php/adodb: cross site scripting vulnerability 2009-01-11 19:05:36 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://www.gulftech.org/?node=research&article_id=00101-02182006 B4 [noglsa] DerCorny P2 minor --- 1 dercorny@gentoo.org security@gentoo.org php-bugs@gentoo.org dercorny@gentoo.org 2006-02-19 21:35:52 0000 There are several Cross Site Scripting issues in ADOdb versions 4.71 and possibly earlier that may allow for an attacker to render malicious client side code in the victim's browser. if (isset($_GET[$next_page])) { $_SESSION[$curr_page] = $_GET[$next_page]; } if (empty($_SESSION[$curr_page])) $_SESSION[$curr_page] = 1; ## at first page $this->curr_page = $_SESSION[$curr_page]; dercorny@gentoo.org 2006-02-19 21:36:53 0000 web-apps team please bump, thx. jakub@gentoo.org 2006-02-20 04:00:50 0000 Not webapps ;) Also, there's no update available now, 4.71 is still latest version upstream. dercorny@gentoo.org 2006-02-23 07:50:32 0000 4.72 seems to be released, http://sourceforge.net/project/showfiles.php?group_id=42718&package_id=34890&release_id=395252 chtekk@gentoo.org 2006-02-23 09:27:48 0000 Thanks for the notification, dev-php/adodb-4.72 is now in the tree. Best regards, CHTEKK. dercorny@gentoo.org 2006-02-23 09:30:13 0000 arches pls test and mark stable, thx koon@gentoo.org 2006-02-23 09:56:18 0000 Stefan, please add arches when setting [stable] Target KEYWORDS="alpha amd64 ia64 ppc ppc64 ~sparc x86" corsair@gentoo.org 2006-02-23 12:54:12 0000 stable on ppc64 halcy0n@gentoo.org 2006-02-24 20:23:09 0000 x86 done kloeri@gentoo.org 2006-02-26 06:37:03 0000 Stable on alpha + ia64. dertobi123@gentoo.org 2006-02-26 10:50:31 0000 ppc stable blubb@gentoo.org 2006-02-27 11:32:12 0000 amd64 stable. happy voting! dercorny@gentoo.org 2006-02-28 08:11:51 0000 Hehe thx blubb, i tend to say yes koon@gentoo.org 2006-03-03 09:50:54 0000 I tend to say no... Could be convinced otherwise if a major portage package made use of this... koon@gentoo.org 2006-03-06 13:37:52 0000 RDEPs: dev-php4/adodb-ext-503 dev-php5/adodb-ext-503 net-analyzer/acid-0.9.6_beta23 net-analyzer/acid-0.9.6_beta23-r1 net-analyzer/base-1.2.2 net-analyzer/base-1.2.2-r1 net-www/bugport-1.146 No real XSS victim here, I vote no. taviso@gentoo.org 2006-03-06 13:39:34 0000 agree with Koon, no major target for Xss, voting NO and closing.