260274 – (CVE-2008-0092) <www-apps/phpwebsite-1.7.2: XSS / SQL injection (CVE-2008-{0092,6266},CVE-2011-4265)

Bug 260274 (CVE-2008-0092) - <www-apps/phpwebsite-1.7.2: XSS / SQL injection (CVE-2008-{0092,6266},CVE-2011-4265)

Summary: <www-apps/phpwebsite-1.7.2: XSS / SQL injection (CVE-2008-{0092,6266},CVE-201...

Status:	RESOLVED FIXED

Alias:	CVE-2008-0092

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High minor (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B3 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2009-02-25 17:31 UTC by Robert Buchholz (RETIRED)
Modified:	2012-09-19 10:26 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robert Buchholz (RETIRED) gentoo-dev

2009-02-25 17:31:37 UTC

CVE-2008-0092 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0092):
  Cross-site scripting (XSS) vulnerability in index.php in the search
  module in Appalachian State University phpWebSite 1.4.0 allows remote
  attackers to inject arbitrary web script or HTML via the search
  parameter.

CVE-2008-6266 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-6266):
  SQL injection vulnerability in links.php in Appalachian State
  University phpWebSite allows remote attackers to execute arbitrary
  SQL commands via the cid parameter in a viewlink action.

Comment 1 Robert Buchholz (RETIRED) gentoo-dev

2009-02-25 17:33:08 UTC

Our versions in the tree are ancient and I don't have the time at hand to review them based on slim advisories on bugtraq. Anyone else got some information whether we are affected?

Comment 2 Matti Bickel (RETIRED) gentoo-dev

2012-06-26 10:43:40 UTC

I've committed version 1.7.2, which no longer has an links.php. So the CVE-2008-6266 does not apply.

At least in 1.7.2, phpwebsite uses PEAR-DB (internal copy) to proxy to the database specific escape functions. Should be safe (note the conditional).

In any case, I'd like to get rid of phpwebsite-0.11.

Comment 3 Sean Amoss (RETIRED) gentoo-dev

2012-07-10 23:14:28 UTC

Thanks, Matti.

Adding CVE-2011-4265 which affects phpWebsite below 1.0.0.

Arches, please test and mark stable:
=www-apps/phpwebsite-1.7.2
Target KEYWORDS: "alpha ppc sparc x86"

Comment 4 Jeff (JD) Horelick (RETIRED) gentoo-dev

2012-07-11 00:20:10 UTC

x86 stable

Comment 5 Raúl Porcel (RETIRED) gentoo-dev

2012-07-15 17:02:56 UTC

alpha/sparc keywords dropped

Comment 6 Michael Weber (RETIRED) gentoo-dev

2012-08-21 16:02:46 UTC

ppc stable, last arch.

Comment 7 Tim Sammut (RETIRED) gentoo-dev

2012-08-21 16:19:22 UTC

Thanks, folks. GLSA Vote: yes.

Comment 8 Tobias Heinlein (RETIRED) gentoo-dev

2012-08-21 19:14:05 UTC

I vote NO.

Comment 9 Sean Amoss (RETIRED) gentoo-dev

2012-09-19 10:26:53 UTC

GLSA vote: no.

Closing noglsa.