Bug 98328 - dev-db/phppgadmin: Input Validation Hole in 'formLanguage' (CAN-2005-2256)
|
Bug#:
98328
|
Product: Gentoo Security
|
Version: unspecified
|
Platform: All
|
|
OS/Version: Linux
|
Status: RESOLVED
|
Severity: minor
|
Priority: P2
|
|
Resolution: FIXED
|
Assigned To: security@gentoo.org
|
Reported By: vorlon@gentoo.org
|
|
Component: Vulnerabilities
|
|
|
URL:
http://securitytracker.com/alerts/2005/Jul/1014414.html
|
|
Summary: dev-db/phppgadmin: Input Validation Hole in 'formLanguage' (CAN-2005-2256)
|
|
Keywords:
|
|
Status Whiteboard: C3 [noglsa] jaervosz
|
|
Opened: 2005-07-08 02:55 0000
|
phpPgAdmin Input Validation Hole in 'formLanguage' Discloses Files to Remote
Users
SecurityTracker Alert ID: 1014414
SecurityTracker URL: http://securitytracker.com/id?1014414
CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site)
Date: Jul 7 2005
Impact: Disclosure of system information, Disclosure of user information
Exploit Included: Yes
Version(s): 3.5.3 and prior versions
Description: A vulnerability was reported in phpPgAdmin. A remote user can
view files on the target system.
The script does not properly validate user-supplied input in the 'formLanguage'
parameter. A remote user can supply a specially crafted parameter value
containing encoded directory traversal characters to view files on the target
system.
A demonstration exploit URL is provided:
formUsername=username&formPassword=password&formServer=0
&formLanguage=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f/etc/pa
sswd%00&submitLogin=Login
SecurityFocus reported this vulnerability. No credit was provided.
Impact: A remote user can view files on the target system with the privileges
of the target web service.
Solution: No solution was available at the time of this entry.
Vendor URL: phppgadmin.sourceforge.net/ (Links to External Site)
Cause: Input validation error
_______
postgresql/web-apps pls validate/advise
oops... stupid me... reassigning ;-)
Version 3.5.4
-------------
Bugs
* Fix security hole in include() of language file:
http://secunia.com/advisories/15941/
Check now requires that the language filename be in the list
of known allowed filenames.
* Fix that functions returning cstring were not being listed
* Make parsing of PostgreSQL 1-dimensional arrays correct. Makes
named function parameter use more reliable.
* Fix downloading of the results of multiline queries.
Postgres / web-apps peeps : anyone interested in herding that package and bump
to the secure version ? We'll probably remove it from portage if noone takes it.
--------------------------------------------------------------------------
Debian Security Advisory DSA 759-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
July 18th, 2005 http://www.debian.org/security/faq
--------------------------------------------------------------------------
Package : phppgadmin
Vulnerability : missing input sanitising
Problem-Type : remote
Debian-specific: no
CVE ID : CAN-2005-2256
BugTraq ID : 14142
A vulnerability has been discovered in phppgadmin, a set of PHP
scripts to administrate PostgreSQL over the WWW, that can lead to
disclose sensitive information. Successful exploitation requires that
"magic_quotes_gpc" is disabled.
mholzer already bumped it to 3.5.4 on 15-Jul-2005
Oops. In fact it was already inportage.
Arches, please test and mark stable :
Target KEYWORDS="x86 ppc sparc hppa amd64"
Sorry for the delay, stable on amd64.
Ready for GLSA vote. I've no opinion yet.
AFAIR magic_quotes_gpc is enabled by default -> downgrading severity.
I tend to vote NO.
