Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 73021
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Carsten Lohrke <carlo@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 73021 depends on: Show dependency tree
Bug 73021 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2004-12-01 05:24 0000 
http://www.phprojekt.com/modules.php?op=modload&name=News&file=article&sid=189&mode=thread&order=0

fixed setup.php: http://phprojekt.com/files/4.2/setup.zip

------- Comment #1 From Matthias Geerdsen 2004-12-01 05:38:53 0000 ------- 
web-apps pls provide an updated ebuild

rating this B1 for now, if it really allows to upload and execute scripts with the rights of the user running the webserver
carlo, web-apps, can you confirm that?

------- Comment #2 From Matthias Geerdsen 2004-12-01 06:12:46 0000 ------- 
According to http://www.heise.de/security/news/meldung/53813 (German), this
allows to upload and run any PHP-script with the standard test account.
Furthermore it's said to be able to get the database password even without
making use of the test account. All versions of PHProjekt seem to be affected.

Btw, it.sec <http://www.it-sec.de/> who reported this (or Martin M

------- Comment #3 From Matthias Geerdsen 2004-12-01 06:12:46 0000 ------- 
According to http://www.heise.de/security/news/meldung/53813 (German), this
allows to upload and run any PHP-script with the standard test account.
Furthermore it's said to be able to get the database password even without
making use of the test account. All versions of PHProjekt seem to be affected.

Btw, it.sec <http://www.it-sec.de/> who reported this (or Martin Münch of
it.sec), are linking to the article mentioned above.

------- Comment #4 From Carsten Lohrke 2004-12-01 06:16:10 0000 ------- 
Um, I wasn't 100% correct. I read here
http://www.heise.de/newsticker/meldung/53813 about it. It's said, that it's
possible to load and start arbitrary php-scripts via the test account and to
obtain the db password w/o any account. I guess that the latter is possible
locally only, but I won't install and test phprojekt. The information from the
phprojekt guys isn't very helpful, too.

------- Comment #5 From Matthias Geerdsen 2004-12-07 04:54:58 0000 ------- 
According to the phprojekt website this seems to allow unauthorized changes to
the configuration, which, according to heise, could then allow uploading and
execution of scripts using the default test account.

The tarball on their site seems to have the updated setup.php included already,
our distfile mirrors are spreading the vulnerable version.

http://securitytracker.com/alerts/2004/Dec/1012369.html
http://secunia.com/advisories/13355/
_______

web-apps, pls verify and provide a fixed ebuild asap
This bug has been opened nearly a week ago.

------- Comment #6 From Stuart Herbert (RETIRED) 2004-12-07 05:47:14 0000 ------- 
phprojekt-4.2-r1 is now in the tree.  Sorry for the delay.

Best regards
Stu

------- Comment #7 From Luke Macken (RETIRED) 2004-12-07 07:04:37 0000 ------- 
archs, please mark phprojekt-4.2-r1 stable.

------- Comment #8 From Jochen Maes (RETIRED) 2004-12-08 00:34:49 0000 ------- 
stable on ppc

------- Comment #9 From Olivier Crete 2004-12-08 12:17:55 0000 ------- 
x86 stable

------- Comment #10 From Thierry Carrez (RETIRED) 2004-12-10 14:33:57 0000 ------- 
GLSA sent, but lists are slow as hell, I didn't even received the
gentoo-announce feedback... Probably will commit the mail tomorrow so please be
patient.

------- Comment #11 From Thierry Carrez (RETIRED) 2004-12-13 00:39:46 0000 ------- 
Reposted... now it works.
GLSA 200412-06
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug