Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 235053 (CVE-2004-2155) - www-apps/online-bookmarks <0.6.28 Login bypass, XSS, SQL injection (CVE-2004-2155,CVE-2006-{6358,6359})
Summary: www-apps/online-bookmarks <0.6.28 Login bypass, XSS, SQL injection (CVE-2004-...
Status: RESOLVED FIXED
Alias: CVE-2004-2155
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-08-17 23:27 UTC by Robert Buchholz (RETIRED)
Modified: 2009-01-12 22:33 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-08-17 23:27:32 UTC
CVE-2004-2155 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2004-2155):
  Online-bookmarks before 0.4.6 allows remote attackers to bypass its
  authentication mechanism via a direct request to (1) config/*, (2)
  bookmarks.php, (3) footer.php, (4) main.php, (5) tree.php, or (6)
  functions.php.

CVE-2006-6358 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-6358):
  SQL injection vulnerability in the login function in auth.inc in Stefan Frech
  online-bookmarks 0.6.12 allows remote attackers to execute arbitrary SQL
  commands via the (1) username and possibly the (2) password parameter.  NOTE:
  some of these details are obtained from third party information.

CVE-2006-6359 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-6359):
  Cross-site scripting (XSS) vulnerability in Stefan Frech online-bookmarks
  0.6.12 allows remote attackers to inject arbitrary web script or HTML via
  unspecified vectors.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-08-17 23:28:57 UTC
Maybe we can bump to the latest version here, haven't looked at the code yet.
Comment 2 Gunnar Wrobel (RETIRED) gentoo-dev 2008-09-10 07:05:10 UTC
Updated to online-bookmarks-0.6.28. The change log suggests that all sec issues have been fixed in that version.

Targets: ppc
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-09-10 10:36:43 UTC
Thanks for investigating.
Comment 4 Tobias Scherbaum (RETIRED) gentoo-dev 2008-09-19 18:51:15 UTC
ppc stable
Comment 5 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-09-19 19:57:31 UTC
time for GLSA decision, I vote YES.
Comment 6 Gunnar Wrobel (RETIRED) gentoo-dev 2008-09-21 13:13:33 UTC
Removed vulnerable version. webapps done.
Comment 7 Tobias Heinlein (RETIRED) gentoo-dev 2008-09-22 12:41:41 UTC
YES too, request filed.
Comment 8 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-01-12 22:33:54 UTC
GLSA 200901-08, sorry for the delay.