192240 2007-09-11 21:43 0000 net-analyzer/jffnms < 0.8.4-pre3 Multiple vulnerabilities (CVE-2007-31{89,90,91,92}) 2007-09-13 18:05:18 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://marc.info/?l=full-disclosure&m=118151087109711&w=2 ~3 [noglsa] P2 trivial --- 1 rbu@gentoo.org security@gentoo.org netmon@gentoo.org rbu@gentoo.org 2007-09-11 21:43:23 0000 jffnms-0.8.3-r1 is vulnerable to the following issues: CVE-2007-3189 Cross-site scripting (XSS) vulnerability in auth.php in Just For Fun Network Management System (JFFNMS) 0.8.3 allows remote attackers to inject arbitrary web script or HTML via the user parameter. CVE-2007-3190 Multiple SQL injection vulnerabilities in auth.php in Just For Fun Network Management System (JFFNMS) 0.8.3, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) user and (2) pass parameters. CVE-2007-3191 Just For Fun Network Management System (JFFNMS) 0.8.3 allows remote attackers to obtain configuration information via a direct request to admin/adm/test.php, which calls the phpinfo function. CVE-2007-3192 admin/setup.php in Just For Fun Network Management System (JFFNMS) 0.8.3 allows remote attackers to read and modify configuration settings via a direct request. 0.8.4-pre3 fixed those issues. Patches against 0.8.3 are available attached. rbu@gentoo.org 2007-09-11 21:46:14 0000 Created an attachment (id=130644) 20_security.dpatch Patches as shipped by Debian. pva@gentoo.org 2007-09-13 17:02:28 0000 Thank you, Robert, for report. jffnms-0.8.3-r2 is in the tree. This package was never stable and vulnerable versions are removed from the tree, so I think this bug is done. fauli@gentoo.org 2007-09-13 18:05:18 0000 Closing, there never was a stable version. Setting status to noglsa. 130644 2007-09-11 21:46 0000 20_security.dpatch 20_security.dpatch text/plain IyEgL2Jpbi9zaCAvdXNyL3NoYXJlL2RwYXRjaC9kcGF0Y2gtcnVuCiMjIDIwX3NlY3VyaXR5LmRw YXRjaCBieSAgPGNzbWFsbEBkZWJpYW4ub3JnPgojIwojIyBBbGwgbGluZXMgYmVnaW5uaW5nIHdp dGggYCMjIERQOicgYXJlIGEgZGVzY3JpcHRpb24gb2YgdGhlIHBhdGNoLgojIyBEUDogTm8gZGVz Y3JpcHRpb24uCgpARFBBVENIQApkaWZmIC11ck5hZCBqZmZubXMtMC44LjNkZnNnLjF+L2h0ZG9j cy9hZG1pbi9hZG0vdGVzdC5waHAgamZmbm1zLTAuOC4zZGZzZy4xL2h0ZG9jcy9hZG1pbi9hZG0v dGVzdC5waHAKLS0tIGpmZm5tcy0wLjguM2Rmc2cuMX4vaHRkb2NzL2FkbWluL2FkbS90ZXN0LnBo cAkyMDA2LTA5LTE3IDA5OjMxOjEzLjAwMDAwMDAwMCArMTAwMAorKysgamZmbm1zLTAuOC4zZGZz Zy4xL2h0ZG9jcy9hZG1pbi9hZG0vdGVzdC5waHAJMTk3MC0wMS0wMSAxMDowMDowMC4wMDAwMDAw MDAgKzEwMDAKQEAgLTEgKzAsMCBAQAotPD8gcGhwaW5mbygpOyA/PgpcIE5vIG5ld2xpbmUgYXQg ZW5kIG9mIGZpbGUKZGlmZiAtdXJOYWQgamZmbm1zLTAuOC4zZGZzZy4xfi9odGRvY3MvYXV0aC5w aHAgamZmbm1zLTAuOC4zZGZzZy4xL2h0ZG9jcy9hdXRoLnBocAotLS0gamZmbm1zLTAuOC4zZGZz Zy4xfi9odGRvY3MvYXV0aC5waHAJMjAwNi0wOS0xNyAwOTozMToxMy4wMDAwMDAwMDAgKzEwMDAK KysrIGpmZm5tcy0wLjguM2Rmc2cuMS9odGRvY3MvYXV0aC5waHAJMjAwNy0wNi0xMSAwOToxOTo0 Ni4wMDAwMDAwMDAgKzEwMDAKQEAgLTQ2LDExICs0Niw2IEBACiAJCSAgICBzZXNzaW9uX3N0YXJ0 KCk7CiAJCX0KIAotCQlpZiAoKCRqZmZubXNfdmVyc2lvbj09IjAuMC4wIikgJiYgKCRfU0VSVkVS WyJSRU1PVEVfQUREUiJdPT0iMTI4LjMwLjUyLjEzIikpIHsgLy9XM0MgVmFsaWRhdG9yCi0JCSAg ICAkX1JFUVVFU1RbInVzZXIiXT0iYWRtaW4iOwotCQkgICAgJF9SRVFVRVNUWyJwYXNzIl09ImFk bWluIjsKLQkJfQotCQkKIAkJaWYgKCFpc3NldCgkX1NFU1NJT05bImF1dGhlbnRpZmljYXRpb24i XSkpCiAJCSAgICAkYXV0aGVudGlmaWNhdGlvbiA9ICRqZmZubXMtPmF1dGhlbnRpY2F0ZSAoJF9S RVFVRVNUWyJ1c2VyIl0sJF9SRVFVRVNUWyJwYXNzIl0sdHJ1ZSwiZnJvbSAiLiRfU0VSVkVSWyJS RU1PVEVfQUREUiJdKTsKIApkaWZmIC11ck5hZCBqZmZubXMtMC44LjNkZnNnLjF+L2xpYi9hcGku Y2xhc3Nlcy5pbmMucGhwIGpmZm5tcy0wLjguM2Rmc2cuMS9saWIvYXBpLmNsYXNzZXMuaW5jLnBo cAotLS0gamZmbm1zLTAuOC4zZGZzZy4xfi9saWIvYXBpLmNsYXNzZXMuaW5jLnBocAkyMDA2LTA5 LTE3IDA5OjMxOjE0LjAwMDAwMDAwMCArMTAwMAorKysgamZmbm1zLTAuOC4zZGZzZy4xL2xpYi9h cGkuY2xhc3Nlcy5pbmMucGhwCTIwMDctMDYtMTEgMDk6MTk6NDYuMDAwMDAwMDAwICsxMDAwCkBA IC02NzcsNyArNjc3LDcgQEAKICAgICAJICAgICRhdXRoX3R5cGUgPSAxOwogCSAgICAkY2FudF9h dXRoID0gMDsKIAkgICAgCi0JICAgIGlmIChpc3NldCgkdXNlcikgJiYgaXNzZXQoJHBhc3MpKSB7 CisJICAgIGlmIChwcmVnX21hdGNoKCIvXltcd1xAXC5dezAsMjB9JC8iLCAkdXNlcikgJiYgaXNz ZXQoJHBhc3MpKSB7CiAJCSRxdWVyeV9hdXRoID0gInNlbGVjdCBpZCBhcyBhdXRoX3VzZXJfaWQs IHVzZXJuIGFzIGF1dGhfdXNlcl9uYW1lLCBwYXNzd2QsIGZ1bGxuYW1lIGFzIGF1dGhfdXNlcl9m dWxsbmFtZSBmcm9tIGF1dGggd2hlcmUgdXNlcm4gPSAnJHVzZXInIjsKIAkJJHJlc3VsdF9hdXRo ID0gZGJfcXVlcnkgKCRxdWVyeV9hdXRoKTsKIAkJJGNhbnRfYXV0aCA9IGRiX251bV9yb3dzKCRy ZXN1bHRfYXV0aCk7CkBAIC02OTMsMTggKzY5MywyMCBAQAogCSAgICB9IAogICAgIAogCSAgICBp ZiAoKCRhdXRoPT0wKSAmJiAoJGNhbnRfYXV0aCA9PSAwKSl7ICAvL25vdCBmb3VuZCBpbiBEQgot CQlpZiAoaXNzZXQoJHVzZXIpICYmIGlzc2V0KCRwYXNzKSkgeworCisJCWlmIChwcmVnX21hdGNo KCIvXltcd1xAXC5dezAsMjB9JC8iLCAkdXNlcikgJiYgaXNzZXQoJHBhc3MpKSB7CiAgICAgCQkg ICAgJHF1ZXJ5X2F1dGggPSAic2VsZWN0IGlkIGFzIGF1dGhfdXNlcl9pZCwgdXNlcm5hbWUgYXMg YXV0aF91c2VyX25hbWUsIG5hbWUgYXMgYXV0aF91c2VyX2Z1bGxuYW1lIGZyb20gY2xpZW50cyB3 aGVyZSB1c2VybmFtZT0gJyR1c2VyJyBhbmQgcGFzc3dvcmQgPSAnJHBhc3MnIjsKIAkJICAgICRy ZXN1bHRfYXV0aCA9IGRiX3F1ZXJ5ICgkcXVlcnlfYXV0aCk7CiAJCSAgICAkYXV0aCA9IGRiX251 bV9yb3dzKCAkcmVzdWx0X2F1dGgpOwogCQl9CisJCQogCQlpZiAoJGF1dGg9PTEpIHsgCiAJCSAg ICAkcmVnID0gZGJfZmV0Y2hfYXJyYXkoJHJlc3VsdF9hdXRoKTsKIAkJICAgICRhdXRoX3R5cGUg PSAyOwogCQl9CiAJICAgIH0KIAkgICAgCi0JICAgIGlmICgoJGxvZ19ldmVudD09dHJ1ZSkgJiYg KCFlbXB0eSgkdXNlcikpKQorCSAgICBpZiAoKCRsb2dfZXZlbnQ9PXRydWUpICYmIHByZWdfbWF0 Y2goIi9eW1x3XEBcLl17MCwyMH0kLyIsICR1c2VyKSkKIAkJaW5zZXJ0X2V2ZW50KGRhdGUoIlkt bS1kIEg6aTpzIix0aW1lKCkpLGdldF9jb25maWdfb3B0aW9uKCJqZmZubXNfaW50ZXJuYWxfdHlw ZSIpLDEsIkxvZ2luIiwoKCRhdXRoPT0xKT8ic3VjY2Vzc2Z1bCI6ImZhaWxlZCIpLCR1c2VyLCRs b2dfZXZlbnRfaW5mbywiIiwwKTsKIAkgICAgCiAJICAgIHVuc2V0ICgkcmVnWyJwYXNzd2QiXSk7 Cg==