Bug 127194

Summary:	www-apps/phpwebsite: Multiple SQL injection vulnerabilities (CVE-2006-1330)
Product:	Gentoo Security	Reporter:	Matthias Geerdsen (RETIRED) <vorlon>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED INVALID
Severity:	normal	CC:	web-apps
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1330
Whiteboard:	B3 [?] vorlon
Package list:		Runtime testing required:	---

Description Matthias Geerdsen (RETIRED) gentoo-dev

2006-03-22 08:47:07 UTC

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1330 :
Multiple SQL injection vulnerabilities in phpWebsite allow remote attackers to execute arbitrary SQL commands via the sid parameter to (1) friend.php or (2) article.php.

http://www.securityfocus.com/bid/17150

---
there does not seem to be a fix available so far

web-apps pls validate

Comment 1 Matthias Geerdsen (RETIRED) gentoo-dev

2006-03-27 08:05:14 UTC

posted a bug with phpwebsite, which got no response so far

but they now have the following info on their website:

Security warning
Posted by: Matt on 03/27/2006 08:27 AM
Various security sites have released a warning for phpWebSite. They refer to some old files used after a 0.8.x conversion. If you still have article.php or friend.php in your installation, delete them.

Comment 2 Matthias Geerdsen (RETIRED) gentoo-dev

2006-03-30 14:26:08 UTC

So how should we go on with this one if the two files are from older versions and should not be present on current installations?
And how big is the chance of these files still being present...


web-apps... any comments?

Comment 3 Renat Lumpau (RETIRED) gentoo-dev

2006-03-31 07:32:00 UTC

I'd say that's quite unlikely.

Comment 4 Thierry Carrez (RETIRED) gentoo-dev

2006-04-01 02:49:58 UTC

Closing as INVALID, feel free to reopen if you have any evidence this could be happening on Gentoo.