Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 102785

Summary: www-apps/phpwebsite SQL injection + XML-RPC new thing
Product: Gentoo Security Reporter: Sune Kloppenborg Jeppesen (RETIRED) <jaervosz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: s_aldinger, web-apps, wendallc
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://archives.neohapsis.com/archives/fulldisclosure/2005-08/0497.html
Whiteboard: B1? [glsa] jaervosz
Package list:
Runtime testing required: ---

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-08-16 22:14:17 UTC 
phpWebSite 0.10.1 full is vulnerable to an sql injection attack. Full 
description in the URL.
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-08-16 22:15:05 UTC 
web-apps please advise.
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-08-17 09:05:29 UTC 
0.10.2 is due today. web-apps please verify and bump.
Comment 3 Renat Lumpau (RETIRED) gentoo-dev 2005-08-17 16:33:54 UTC 
0.10.2_rc1 in CVS
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-08-17 21:58:38 UTC 
Arches please test and mark stable.
Comment 5 Gustavo Zacarias (RETIRED) gentoo-dev 2005-08-18 08:39:43 UTC 
sparc stable.
Comment 6 Jakub Moc (RETIRED) gentoo-dev 2005-08-19 02:32:59 UTC 
*** Bug 103035 has been marked as a duplicate of this bug. ***
Comment 7 Renat Lumpau (RETIRED) gentoo-dev 2005-08-19 04:36:53 UTC 
Stable on x86, stabled on ppc by hansmi
Comment 8 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2005-08-20 08:28:37 UTC 
Finally you got our sexy alpha mark! 

0.10.2_rc1 stable on alpha.
Comment 9 Stefan Cornelius (RETIRED) gentoo-dev 2005-08-20 08:31:17 UTC 
Ready for GLSA vote, I tend to a no.
Comment 10 Thierry Carrez (RETIRED) gentoo-dev 2005-08-21 07:22:51 UTC 
I vote YES. SQL injection on clearly remote-accessible service.
Comment 11 Stefan Cornelius (RETIRED) gentoo-dev 2005-08-21 07:42:48 UTC 
Ok, correcting my vote, koon is right. I'm now pro-glsa.
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2005-08-21 08:54:19 UTC 
phpwebsite is probably also vulnerable to the XMLRPC new round of things,
described in bug 102576.

Setting back to upstream and pulling in Wendall (phpwebsite maintainer) for inputs.
Comment 13 Wendall Cada 2005-08-21 11:21:02 UTC 
Core team is working on an 0.10.2 release with fixes. We actually don't use the
xml-rpc libs, but they are installed with a set of pear packages we use for the
news feeds module. There will be a patched version available tormorrow with both
fixes. I'll post it as soon as it's up.

Wendall
Comment 14 Stuart Herbert (RETIRED) gentoo-dev 2005-08-24 12:04:48 UTC 
Hi Wendall,

Any news on when the next release will happen?

Best regards,
Stu
Comment 15 Wendall Cada 2005-08-24 16:46:47 UTC 
http://phpwebsite.appstate.edu/downloads/rc/phpwebsite-0.10.2-RC2.tar.gz
Kevin forgot to provide the MD5 hash. Will have him do this first thing in the
morning. Since the core team were unable to reproduce the sql injection
reported, some extra checks were put into place. This has been marked a low
priority for the security team. The pear update is available in the release
candidate. If all testing goes well, I'd expect a full 0.10.2 release by Friday.

Wendall
Comment 16 Renat Lumpau (RETIRED) gentoo-dev 2005-08-24 19:05:39 UTC 
rc2 in CVS
Comment 17 Gustavo Zacarias (RETIRED) gentoo-dev 2005-08-25 07:51:59 UTC 
rc2 sparc stable.
Comment 18 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-08-25 11:24:32 UTC 
Stable on ppc.
Comment 19 Renat Lumpau (RETIRED) gentoo-dev 2005-08-26 14:18:16 UTC 
rc2 x86 stable
Comment 20 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2005-08-30 16:48:46 UTC 
rc2 stable on alpha
Comment 21 Stefan Cornelius (RETIRED) gentoo-dev 2005-08-30 19:43:23 UTC 
ready for GLSA
Comment 22 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-08-31 07:39:58 UTC 
GLSA 200508-21