Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 123442
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Stefan Cornelius (RETIRED) <dercorny@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 123442 depends on: Show dependency tree
Bug 123442 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2006-02-19 21:35 0000 
There are several Cross Site Scripting issues in ADOdb versions 4.71 and
possibly earlier that may allow for an attacker to render malicious client side
code in the victim's browser. 

if (isset($_GET[$next_page])) {
        $_SESSION[$curr_page] = $_GET[$next_page];
}
if (empty($_SESSION[$curr_page])) $_SESSION[$curr_page] = 1; ## at first page

$this->curr_page = $_SESSION[$curr_page];

------- Comment #1 From Stefan Cornelius (RETIRED) 2006-02-19 21:36:53 0000 ------- 
web-apps team please bump, thx.

------- Comment #2 From Jakub Moc (RETIRED) 2006-02-20 04:00:50 0000 ------- 
Not webapps ;) Also, there's no update available now, 4.71 is still latest
version upstream.

------- Comment #3 From Stefan Cornelius (RETIRED) 2006-02-23 07:50:32 0000 ------- 
4.72 seems to be released,
http://sourceforge.net/project/showfiles.php?group_id=42718&package_id=34890&release_id=395252

------- Comment #4 From Luca Longinotti 2006-02-23 09:27:48 0000 ------- 
Thanks for the notification, dev-php/adodb-4.72 is now in the tree.
Best regards, CHTEKK.

------- Comment #5 From Stefan Cornelius (RETIRED) 2006-02-23 09:30:13 0000 ------- 
arches pls test and mark stable, thx

------- Comment #6 From Thierry Carrez (RETIRED) 2006-02-23 09:56:18 0000 ------- 
Stefan, please add arches when setting [stable]
Target KEYWORDS="alpha amd64 ia64 ppc ppc64 ~sparc x86"

------- Comment #7 From Markus Rothe 2006-02-23 12:54:12 0000 ------- 
stable on ppc64

------- Comment #8 From Mark Loeser 2006-02-24 20:23:09 0000 ------- 
x86 done

------- Comment #9 From Bryan Østergaard (RETIRED) 2006-02-26 06:37:03 0000 ------- 
Stable on alpha + ia64.

------- Comment #10 From Tobias Scherbaum 2006-02-26 10:50:31 0000 ------- 
ppc stable

------- Comment #11 From Simon Stelling (RETIRED) 2006-02-27 11:32:12 0000 ------- 
amd64 stable. happy voting!

------- Comment #12 From Stefan Cornelius (RETIRED) 2006-02-28 08:11:51 0000 ------- 
Hehe thx blubb, i tend to say yes

------- Comment #13 From Thierry Carrez (RETIRED) 2006-03-03 09:50:54 0000 ------- 
I tend to say no... Could be convinced otherwise if a major portage package
made use of this...

------- Comment #14 From Thierry Carrez (RETIRED) 2006-03-06 13:37:52 0000 ------- 
RDEPs:
dev-php4/adodb-ext-503
dev-php5/adodb-ext-503
net-analyzer/acid-0.9.6_beta23
net-analyzer/acid-0.9.6_beta23-r1
net-analyzer/base-1.2.2
net-analyzer/base-1.2.2-r1
net-www/bugport-1.146

No real XSS victim here, I vote no.

------- Comment #15 From Tavis Ormandy (RETIRED) 2006-03-06 13:39:34 0000 ------- 
agree with Koon, no major target for Xss, voting NO and closing.
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug