Bug 192240 - net-analyzer/jffnms < 0.8.4-pre3 Multiple vulnerabilities (CVE-2007-31{89,90,91,92})
|
Bug#:
192240
|
Product: Gentoo Security
|
Version: unspecified
|
Platform: All
|
|
OS/Version: Linux
|
Status: RESOLVED
|
Severity: trivial
|
Priority: P2
|
|
Resolution: FIXED
|
Assigned To: security@gentoo.org
|
Reported By: rbu@gentoo.org
|
|
Component: Vulnerabilities
|
|
|
URL:
http://marc.info/?l=full-disclosure&m=118151087109711&w=2
|
|
Summary: net-analyzer/jffnms < 0.8.4-pre3 Multiple vulnerabilities (CVE-2007-31{89,90,91,92})
|
|
Keywords:
|
|
Status Whiteboard: ~3 [noglsa]
|
|
Opened: 2007-09-11 21:43 0000
|
jffnms-0.8.3-r1 is vulnerable to the following issues:
CVE-2007-3189
Cross-site scripting (XSS) vulnerability in auth.php in Just For Fun Network
Management System (JFFNMS) 0.8.3 allows remote attackers to inject arbitrary
web script or HTML via the user parameter.
CVE-2007-3190
Multiple SQL injection vulnerabilities in auth.php in Just For Fun Network
Management System (JFFNMS) 0.8.3, when magic_quotes_gpc is disabled, allow
remote attackers to execute arbitrary SQL commands via the (1) user and (2)
pass parameters.
CVE-2007-3191
Just For Fun Network Management System (JFFNMS) 0.8.3 allows remote attackers
to obtain configuration information via a direct request to admin/adm/test.php,
which calls the phpinfo function.
CVE-2007-3192
admin/setup.php in Just For Fun Network Management System (JFFNMS) 0.8.3 allows
remote attackers to read and modify configuration settings via a direct
request.
0.8.4-pre3 fixed those issues. Patches against 0.8.3 are available attached.
Thank you, Robert, for report. jffnms-0.8.3-r2 is in the tree.
This package was never stable and vulnerable versions are removed from the
tree, so I think this bug is done.
Closing, there never was a stable version. Setting status to noglsa.
