Summary: | www-apps/phpwebsite SQL injection + XML-RPC new thing | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sune Kloppenborg Jeppesen (RETIRED) <jaervosz> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | s_aldinger, web-apps, wendallc |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://archives.neohapsis.com/archives/fulldisclosure/2005-08/0497.html | ||
Whiteboard: | B1? [glsa] jaervosz | ||
Package list: | Runtime testing required: | --- |
Description
Sune Kloppenborg Jeppesen (RETIRED)
2005-08-16 22:14:17 UTC
web-apps please advise. 0.10.2 is due today. web-apps please verify and bump. 0.10.2_rc1 in CVS Arches please test and mark stable. sparc stable. *** Bug 103035 has been marked as a duplicate of this bug. *** Stable on x86, stabled on ppc by hansmi Finally you got our sexy alpha mark! 0.10.2_rc1 stable on alpha. Ready for GLSA vote, I tend to a no. I vote YES. SQL injection on clearly remote-accessible service. Ok, correcting my vote, koon is right. I'm now pro-glsa. phpwebsite is probably also vulnerable to the XMLRPC new round of things, described in bug 102576. Setting back to upstream and pulling in Wendall (phpwebsite maintainer) for inputs. Core team is working on an 0.10.2 release with fixes. We actually don't use the xml-rpc libs, but they are installed with a set of pear packages we use for the news feeds module. There will be a patched version available tormorrow with both fixes. I'll post it as soon as it's up. Wendall Hi Wendall, Any news on when the next release will happen? Best regards, Stu http://phpwebsite.appstate.edu/downloads/rc/phpwebsite-0.10.2-RC2.tar.gz Kevin forgot to provide the MD5 hash. Will have him do this first thing in the morning. Since the core team were unable to reproduce the sql injection reported, some extra checks were put into place. This has been marked a low priority for the security team. The pear update is available in the release candidate. If all testing goes well, I'd expect a full 0.10.2 release by Friday. Wendall rc2 in CVS rc2 sparc stable. Stable on ppc. rc2 x86 stable rc2 stable on alpha ready for GLSA GLSA 200508-21 |