Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 127194

Summary: www-apps/phpwebsite: Multiple SQL injection vulnerabilities (CVE-2006-1330)
Product: Gentoo Security Reporter: Matthias Geerdsen (RETIRED) <vorlon>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED INVALID    
Severity: normal CC: web-apps
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1330
Whiteboard: B3 [?] vorlon
Package list:
Runtime testing required: ---

Description Matthias Geerdsen (RETIRED) gentoo-dev 2006-03-22 08:47:07 UTC
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1330 :
Multiple SQL injection vulnerabilities in phpWebsite allow remote attackers to execute arbitrary SQL commands via the sid parameter to (1) friend.php or (2) article.php.

http://www.securityfocus.com/bid/17150

---
there does not seem to be a fix available so far

web-apps pls validate
Comment 1 Matthias Geerdsen (RETIRED) gentoo-dev 2006-03-27 08:05:14 UTC
posted a bug with phpwebsite, which got no response so far

but they now have the following info on their website:

Security warning
Posted by: Matt on 03/27/2006 08:27 AM
Various security sites have released a warning for phpWebSite. They refer to some old files used after a 0.8.x conversion. If you still have article.php or friend.php in your installation, delete them.
Comment 2 Matthias Geerdsen (RETIRED) gentoo-dev 2006-03-30 14:26:08 UTC
So how should we go on with this one if the two files are from older versions and should not be present on current installations?
And how big is the chance of these files still being present...


web-apps... any comments?
Comment 3 Renat Lumpau (RETIRED) gentoo-dev 2006-03-31 07:32:00 UTC
I'd say that's quite unlikely.
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2006-04-01 02:49:58 UTC
Closing as INVALID, feel free to reopen if you have any evidence this could be happening on Gentoo.