Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 189607 - www-apps/ampache < Session Fixation and SQL Injection (CVE-2007-443{7,8})
Summary: www-apps/ampache < Session Fixation and SQL Injection (CVE-2007-443{7...
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa]
Depends on:
Reported: 2007-08-20 15:45 UTC by Matt Fleming (RETIRED)
Modified: 2007-10-13 11:49 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Matt Fleming (RETIRED) gentoo-dev 2007-08-20 15:45:35 UTC
Some vulnerabilities have been reported in Ampache, which can be
exploited by malicious users to conduct SQL injection attacks and by
malicious people to conduct session fixation attacks.

1) Input passed to the "match" parameter in albums.php is not
properly sanitised before being used in SQL queries. This can be
exploited to manipulate SQL queries by injecting arbitrary SQL code.

2) An error in the session handling code can be exploited to hijack
another user's session by tricking the user into logging in after
following a specially crafted link.

The vulnerabilities are reported in versions prior to
Comment 1 Matt Fleming (RETIRED) gentoo-dev 2007-08-20 15:47:49 UTC
CC'ing maintainers and setting whiteboard status.
Comment 2 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-08-31 10:11:39 UTC
web-apps, version is in the tree, is it ready for going stable? please advise.
Comment 3 Gunnar Wrobel (RETIRED) gentoo-dev 2007-09-03 06:56:18 UTC
Yes, it is ready. Please stabilize on amd64 ppc and x86
Comment 4 Gunnar Wrobel (RETIRED) gentoo-dev 2007-09-03 07:25:46 UTC
cc'ing affected arches
Comment 5 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-09-03 07:48:10 UTC
err, I think there was a problem with your cc'ing, and x86 seems already stable :)
arches, please test and mark stable www-apps/ampache-
Target keywords are: "amd64 ppc x86"
Comment 6 Thomas Anderson (tanderson) (RETIRED) gentoo-dev 2007-09-03 12:44:27 UTC


Portage (default-linux/amd64/2007.0/desktop, gcc-4.1.2, glibc-2.5-r4, 2.6.17-gentoo-r8 x86_64)
System uname: 2.6.17-gentoo-r8 x86_64 AMD Turion(tm) 64 Mobile Technology MT-37
Gentoo Base System release 1.12.9
Timestamp of tree: Sun, 02 Sep 2007 17:00:01 +0000
distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled]
app-shells/bash:     3.2_p17
dev-lang/python:     2.4.4-r4
dev-python/pycrypto: 2.0.1-r6
sys-apps/baselayout: 1.12.9-r2
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.17
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.5.24
virtual/os-headers:  2.6.21
CFLAGS="-march=athlon64 -O2 -pipe"
CONFIG_PROTECT="/etc /usr/share/X11/xkb"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/terminfo"
CXXFLAGS="-march=athlon64 -O2 -pipe"
FEATURES="distlocks metadata-transfer sandbox sfperms strict"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
USE="acl acpi amd64 apache apache2 arts bash-completion berkdb cli contrarius cracklib cran crypt cups dbus dvdread encode evo firefox gd glsa gpm iconv inquisitio logrotate midi mmx mpeg mpeg2 mudflap mysql mysqli mythtv ncurses nfs nls nptl nptlonly ogg openmp pcre perl php png portage python qa qt3support readline reflection ruby session spl sse sse2 ssl svg tcpd tiff unicode ups usb v4l v4l2 vfat vim-syntax xml xv zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="via"
Comment 7 Tobias Scherbaum (RETIRED) gentoo-dev 2007-09-03 18:09:45 UTC
ppc stable
Comment 8 Christoph Mende (RETIRED) gentoo-dev 2007-09-04 11:34:01 UTC
amd64 stable
Comment 9 Gunnar Wrobel (RETIRED) gentoo-dev 2007-09-04 13:02:13 UTC
removing web-apps
Comment 10 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-09-08 15:41:01 UTC
This one is ready for GLSA vote. I vote YES.
Comment 11 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-09-17 21:08:44 UTC
voting yes too, glsa request filed.
Comment 12 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-10-13 11:49:11 UTC
GLSA 200710-13