CVE-2004-2155 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2004-2155): Online-bookmarks before 0.4.6 allows remote attackers to bypass its authentication mechanism via a direct request to (1) config/*, (2) bookmarks.php, (3) footer.php, (4) main.php, (5) tree.php, or (6) functions.php. CVE-2006-6358 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-6358): SQL injection vulnerability in the login function in auth.inc in Stefan Frech online-bookmarks 0.6.12 allows remote attackers to execute arbitrary SQL commands via the (1) username and possibly the (2) password parameter. NOTE: some of these details are obtained from third party information. CVE-2006-6359 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-6359): Cross-site scripting (XSS) vulnerability in Stefan Frech online-bookmarks 0.6.12 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Maybe we can bump to the latest version here, haven't looked at the code yet.
Updated to online-bookmarks-0.6.28. The change log suggests that all sec issues have been fixed in that version. Targets: ppc
Thanks for investigating.
ppc stable
time for GLSA decision, I vote YES.
Removed vulnerable version. webapps done.
YES too, request filed.
GLSA 200901-08, sorry for the delay.