Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 130295 (CVE-2006-1819)

Summary: www-apps/phpwebsite local file inclusion (CVE-2006-1819)
Product: Gentoo Security Reporter: Sune Kloppenborg Jeppesen (RETIRED) <jaervosz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: web-apps
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://secunia.com/advisories/19647/
Whiteboard: B2 [glsa] DerCorny
Package list:
Runtime testing required: ---

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-04-17 13:11:31 UTC 
rgod has reported a vulnerability in phpWebSite, which can be exploited by malicious people to disclose sensitive information and potentially compromise a vulnerable system.
 
 Input passed to the "hub_dir" parameter in "index.php" isn't properly verified, before it is used to include files. This can be exploited to include arbitrary files from local resources.
 
 This can further be exploited to include arbitrary PHP scripts from an external Windows share if the affected system is running PHP 5 on Windows.
 
 Successful exploitation requires that "magic_quotes_gpc" is disabled.
 
 The vulnerability has been reported in version 0.10.2. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly verified.

Provided and/or discovered by:
rgod
Comment 1 Stefan Cornelius (RETIRED) gentoo-dev 2006-04-19 08:47:52 UTC 
web-apps, please provide fixed ebuilds, thanks
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2006-04-28 12:27:25 UTC 
Patch available at :
http://phpwebsite.appstate.edu/index.php?module=announce&ANN_user_op=view&ANN_id=1116

web-apps please patch
Comment 3 Renat Lumpau (RETIRED) gentoo-dev 2006-04-28 13:25:17 UTC 
in CVS
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-04-28 21:54:54 UTC 
Thx Renat.

Arches please test and mark stable.
Comment 5 Tobias Scherbaum (RETIRED) gentoo-dev 2006-04-29 02:04:47 UTC 
ppc stable
Comment 6 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2006-04-29 09:55:26 UTC 
alpha stable.
Comment 7 Mark Loeser (RETIRED) gentoo-dev 2006-04-29 21:31:59 UTC 
x86 stable
Comment 8 Jason Wever (RETIRED) gentoo-dev 2006-04-30 10:37:25 UTC 
Stable on SPARC
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2006-05-02 09:37:35 UTC 
Ready for GLSA
Comment 10 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-05-02 11:36:26 UTC 
GLSA 200605-04