CVE-2008-0092 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0092): Cross-site scripting (XSS) vulnerability in index.php in the search module in Appalachian State University phpWebSite 1.4.0 allows remote attackers to inject arbitrary web script or HTML via the search parameter. CVE-2008-6266 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-6266): SQL injection vulnerability in links.php in Appalachian State University phpWebSite allows remote attackers to execute arbitrary SQL commands via the cid parameter in a viewlink action.
Our versions in the tree are ancient and I don't have the time at hand to review them based on slim advisories on bugtraq. Anyone else got some information whether we are affected?
I've committed version 1.7.2, which no longer has an links.php. So the CVE-2008-6266 does not apply. At least in 1.7.2, phpwebsite uses PEAR-DB (internal copy) to proxy to the database specific escape functions. Should be safe (note the conditional). In any case, I'd like to get rid of phpwebsite-0.11.
Thanks, Matti. Adding CVE-2011-4265 which affects phpWebsite below 1.0.0. Arches, please test and mark stable: =www-apps/phpwebsite-1.7.2 Target KEYWORDS: "alpha ppc sparc x86"
x86 stable
alpha/sparc keywords dropped
ppc stable, last arch.
Thanks, folks. GLSA Vote: yes.
I vote NO.
GLSA vote: no. Closing noglsa.