Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 260274 (CVE-2008-0092)

Summary: <www-apps/phpwebsite-1.7.2: XSS / SQL injection (CVE-2008-{0092,6266},CVE-2011-4265)
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: web-apps
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [noglsa]
Package list:
Runtime testing required: ---

Description Robert Buchholz (RETIRED) gentoo-dev 2009-02-25 17:31:37 UTC 
CVE-2008-0092 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0092):
  Cross-site scripting (XSS) vulnerability in index.php in the search
  module in Appalachian State University phpWebSite 1.4.0 allows remote
  attackers to inject arbitrary web script or HTML via the search
  parameter.

CVE-2008-6266 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-6266):
  SQL injection vulnerability in links.php in Appalachian State
  University phpWebSite allows remote attackers to execute arbitrary
  SQL commands via the cid parameter in a viewlink action.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2009-02-25 17:33:08 UTC 
Our versions in the tree are ancient and I don't have the time at hand to review them based on slim advisories on bugtraq. Anyone else got some information whether we are affected?
Comment 2 Matti Bickel (RETIRED) gentoo-dev 2012-06-26 10:43:40 UTC 
I've committed version 1.7.2, which no longer has an links.php. So the CVE-2008-6266 does not apply.

At least in 1.7.2, phpwebsite uses PEAR-DB (internal copy) to proxy to the database specific escape functions. Should be safe (note the conditional).

In any case, I'd like to get rid of phpwebsite-0.11.
Comment 3 Sean Amoss (RETIRED) gentoo-dev Security 2012-07-10 23:14:28 UTC 
Thanks, Matti.

Adding CVE-2011-4265 which affects phpWebsite below 1.0.0.

Arches, please test and mark stable:
=www-apps/phpwebsite-1.7.2
Target KEYWORDS: "alpha ppc sparc x86"
Comment 4 Jeff (JD) Horelick (RETIRED) gentoo-dev 2012-07-11 00:20:10 UTC 
x86 stable
Comment 5 Raúl Porcel (RETIRED) gentoo-dev 2012-07-15 17:02:56 UTC 
alpha/sparc keywords dropped
Comment 6 Michael Weber (RETIRED) gentoo-dev 2012-08-21 16:02:46 UTC 
ppc stable, last arch.
Comment 7 Tim Sammut (RETIRED) gentoo-dev 2012-08-21 16:19:22 UTC 
Thanks, folks. GLSA Vote: yes.
Comment 8 Tobias Heinlein (RETIRED) gentoo-dev 2012-08-21 19:14:05 UTC 
I vote NO.
Comment 9 Sean Amoss (RETIRED) gentoo-dev Security 2012-09-19 10:26:53 UTC 
GLSA vote: no.

Closing noglsa.