| Summary: | dev-php/xhprof: XSS vulnerability in run parameter | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED INVALID | ||
| Severity: | minor | CC: | php-bugs |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1018114 | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
We are not affected by this bug since we only distribute the php extension itself, not the web interface in which this bug lies. (In reply to Ole Markus With from comment #1) > We are not affected by this bug since we only distribute the php extension > itself, not the web interface in which this bug lies. Thanks for checking. |
From ${URL} : xhprof, a hierarchial profiler for PHP, was found to have a Cross-Site Scripting vulnerability in it's run parameter, because it fails to sufficiently sanitize the user input. To exploit this vulnerability, an attacker must entice an unsuspecting user to follow a malicious URI, which could compromise the cookie-based authentication information, execute arbitrary client-side scripts in the context of the browser, or obtain sensitive information. The issue is known to be fixed in Xhprof 0.9.4. References: http://www.securityfocus.com/bid/62928/info http://pecl.php.net/package-changelog.php?package=xhprof&release=0.9.4 @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.