| Summary: | dev-php5/jpgraph jpgraph_errhandler.inc.php LFI vulnerability (CVE-2008-5694) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Robert Buchholz (RETIRED) <rbu> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED NEEDINFO | ||
| Severity: | normal | CC: | php-bugs |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://www.by-f10.com/bug.txt | ||
| Whiteboard: | B1? [upstream unconfirmed] | ||
| Package list: | Runtime testing required: | --- | |
|
Description
Robert Buchholz (RETIRED)
2008-12-27 13:27:50 UTC
Unfortunately, the advisory is only available at http://www.by-f10.com/bug.txt and I could not find a copy and the server is unavailable. Let's track this issue as unconfirmed for now. I did not thoroughly review the code, but there is no obvious RFI there. Cannot find the contents of the advisory URL anywhere either and had a quick look at the code myself... jpgraph itself is not vulnerable, i.e. just by having jpgraph installed nobody will be able to exploit the issue. We are talking about a local file inclusion vulnerability here, btw, not remote. And maybe XSS, because the filename becomes part of an error message in case of an error. Any application which calls JpGraphError::SetErrLocale() with untrusted user input may be vulnerable to this issue, but to actually execute PHP code an attacker has to place the code as a file on the system somehow (image upload functionality or similar). Depending on how the used libc handles \0 bytes, the attack may be limited to files ending with .inc.php anyway, so... Still, a fix should probably be applied to jpgraph. Even the CVE doesn't have much information beyond this affecting an old version of sandbox (long gone from tree). Closing NEEDINFO. |
