Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 235060 (CVE-2005-4607) - www-apps/bugport <=1.147 Multiple vulnerabilities (CVE-2005-{4607,4608,4609})
Summary: www-apps/bugport <=1.147 Multiple vulnerabilities (CVE-2005-{4607,4608,4609})
Status: RESOLVED FIXED
Alias: CVE-2005-4607
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://pridels0.blogspot.com/2005/12/...
Whiteboard: B3 [masked | noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-08-18 00:07 UTC by Robert Buchholz (RETIRED)
Modified: 2008-09-10 10:50 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-08-18 00:07:38 UTC 
CVE-2005-4607 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2005-4607):
  Cross-site scripting (XSS) vulnerability in index.php in BugPort 1.147 and
  earlier allows remote attackers to inject arbitrary web script or HTML via
  the (1) ids[0], (2) action, (3) report_id, (4) devWherePair[1][1], and (5)
  binds[0] parameters.

CVE-2005-4608 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2005-4608):
  SQL injection vulnerability in index.php in BugPort 1.147 allows remote
  attackers to execute arbitrary SQL commands via the (1) devWherePair[0], (2)
  orderBy, and (3) where parameters.

CVE-2005-4609 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2005-4609):
  index.php in BugPort 1.147 and earlier allows remote attackers to obtain
  sensitive information such as full path and system configuration via an
  invalid action parameter.
Comment 1 Gunnar Wrobel (RETIRED) gentoo-dev 2008-09-10 07:12:53 UTC 
Upstream looks dead. Masked package, issued last rites.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-09-10 10:39:47 UTC 
maskglsa decision: I vote NO.
Comment 3 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-09-10 10:50:41 UTC 
no too, closing.