Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 192240

Summary: net-analyzer/jffnms < 0.8.4-pre3 Multiple vulnerabilities (CVE-2007-31{89,90,91,92})
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: netmon
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://marc.info/?l=full-disclosure&m=118151087109711&w=2
Whiteboard: ~3 [noglsa]
Package list:
Runtime testing required: ---
Attachments:
Description Flags
20_security.dpatch none

Description Robert Buchholz (RETIRED) gentoo-dev 2007-09-11 21:43:23 UTC 
jffnms-0.8.3-r1 is vulnerable to the following issues:

CVE-2007-3189
Cross-site scripting (XSS) vulnerability in auth.php in Just For Fun Network Management System (JFFNMS) 0.8.3 allows remote attackers to inject arbitrary web script or HTML via the user parameter.

CVE-2007-3190
Multiple SQL injection vulnerabilities in auth.php in Just For Fun Network Management System (JFFNMS) 0.8.3, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) user and (2) pass parameters.

CVE-2007-3191
Just For Fun Network Management System (JFFNMS) 0.8.3 allows remote attackers to obtain configuration information via a direct request to admin/adm/test.php, which calls the phpinfo function.

CVE-2007-3192
admin/setup.php in Just For Fun Network Management System (JFFNMS) 0.8.3 allows remote attackers to read and modify configuration settings via a direct request.

0.8.4-pre3 fixed those issues. Patches against 0.8.3 are available attached.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2007-09-11 21:46:14 UTC 
Created attachment 130644 [details, diff]
20_security.dpatch

Patches as shipped by Debian.
Comment 2 Peter Volkov (RETIRED) gentoo-dev 2007-09-13 17:02:28 UTC 
Thank you, Robert, for report. jffnms-0.8.3-r2 is in the tree.
This package was never stable and vulnerable versions are removed from the tree, so I think this bug is done.
Comment 3 Christian Faulhammer (RETIRED) gentoo-dev 2007-09-13 18:05:18 UTC 
Closing, there never was a stable version.  Setting status to noglsa.