Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 102785 - www-apps/phpwebsite SQL injection + XML-RPC new thing
Summary: www-apps/phpwebsite SQL injection + XML-RPC new thing
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://archives.neohapsis.com/archive...
Whiteboard: B1? [glsa] jaervosz
Keywords:
: 103035 (view as bug list)
Depends on:
Blocks:
 
Reported: 2005-08-16 22:14 UTC by Sune Kloppenborg Jeppesen
Modified: 2005-08-31 07:39 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen gentoo-dev 2005-08-16 22:14:17 UTC
phpWebSite 0.10.1 full is vulnerable to an sql injection attack. Full 
description in the URL.
Comment 1 Sune Kloppenborg Jeppesen gentoo-dev 2005-08-16 22:15:05 UTC
web-apps please advise. 
Comment 2 Sune Kloppenborg Jeppesen gentoo-dev 2005-08-17 09:05:29 UTC
0.10.2 is due today. web-apps please verify and bump. 
Comment 3 Renat Lumpau (RETIRED) gentoo-dev 2005-08-17 16:33:54 UTC
0.10.2_rc1 in CVS
Comment 4 Sune Kloppenborg Jeppesen gentoo-dev 2005-08-17 21:58:38 UTC
Arches please test and mark stable. 
Comment 5 Gustavo Zacarias (RETIRED) gentoo-dev 2005-08-18 08:39:43 UTC
sparc stable.
Comment 6 Jakub Moc (RETIRED) gentoo-dev 2005-08-19 02:32:59 UTC
*** Bug 103035 has been marked as a duplicate of this bug. ***
Comment 7 Renat Lumpau (RETIRED) gentoo-dev 2005-08-19 04:36:53 UTC
Stable on x86, stabled on ppc by hansmi
Comment 8 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2005-08-20 08:28:37 UTC
Finally you got our sexy alpha mark! 

0.10.2_rc1 stable on alpha.
Comment 9 Stefan Cornelius (RETIRED) gentoo-dev 2005-08-20 08:31:17 UTC
Ready for GLSA vote, I tend to a no.
Comment 10 Thierry Carrez (RETIRED) gentoo-dev 2005-08-21 07:22:51 UTC
I vote YES. SQL injection on clearly remote-accessible service.
Comment 11 Stefan Cornelius (RETIRED) gentoo-dev 2005-08-21 07:42:48 UTC
Ok, correcting my vote, koon is right. I'm now pro-glsa.
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2005-08-21 08:54:19 UTC
phpwebsite is probably also vulnerable to the XMLRPC new round of things,
described in bug 102576.

Setting back to upstream and pulling in Wendall (phpwebsite maintainer) for inputs.
Comment 13 Wendall Cada 2005-08-21 11:21:02 UTC
Core team is working on an 0.10.2 release with fixes. We actually don't use the
xml-rpc libs, but they are installed with a set of pear packages we use for the
news feeds module. There will be a patched version available tormorrow with both
fixes. I'll post it as soon as it's up.

Wendall
Comment 14 Stuart Herbert (RETIRED) gentoo-dev 2005-08-24 12:04:48 UTC
Hi Wendall,

Any news on when the next release will happen?

Best regards,
Stu
Comment 15 Wendall Cada 2005-08-24 16:46:47 UTC
http://phpwebsite.appstate.edu/downloads/rc/phpwebsite-0.10.2-RC2.tar.gz
Kevin forgot to provide the MD5 hash. Will have him do this first thing in the
morning. Since the core team were unable to reproduce the sql injection
reported, some extra checks were put into place. This has been marked a low
priority for the security team. The pear update is available in the release
candidate. If all testing goes well, I'd expect a full 0.10.2 release by Friday.

Wendall
Comment 16 Renat Lumpau (RETIRED) gentoo-dev 2005-08-24 19:05:39 UTC
rc2 in CVS
Comment 17 Gustavo Zacarias (RETIRED) gentoo-dev 2005-08-25 07:51:59 UTC
rc2 sparc stable.
Comment 18 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-08-25 11:24:32 UTC
Stable on ppc.
Comment 19 Renat Lumpau (RETIRED) gentoo-dev 2005-08-26 14:18:16 UTC
rc2 x86 stable
Comment 20 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2005-08-30 16:48:46 UTC
rc2 stable on alpha
Comment 21 Stefan Cornelius (RETIRED) gentoo-dev 2005-08-30 19:43:23 UTC
ready for GLSA
Comment 22 Sune Kloppenborg Jeppesen gentoo-dev 2005-08-31 07:39:58 UTC
GLSA 200508-21